NDIS Code of Conduct Breach Examples: Real-World Scenarios
Understanding NDIS code of conduct examples is the fastest way to prevent violations in your own organisation. The Commission has taken action against providers across every type of breach — from financial abuse to physical harm. Knowing what went wrong for others helps you spot the same risks in your own practice.
The NDIS Code of Conduct sets seven binding obligations for all providers and workers. Yet code of conduct violations continue to occur across the sector. Some result in banning orders. Others lead to multi-million dollar penalties. In all cases, participants are harmed and provider reputations are damaged permanently.
This guide walks through NDIS code of conduct examples organised by each obligation. It also examines real Commission enforcement cases and draws practical lessons you can apply today. For a complete grounding in the code itself, start with our NDIS Code of Conduct complete guide for providers.
What Is the NDIS Code of Conduct?
The NDIS Code of Conduct is a legally binding framework established by the NDIS Quality and Safeguards Commission. It applies to all NDIS providers and workers — both registered and unregistered.
The code contains seven obligations. Together, they form the minimum ethical and safety standards that everyone in the sector must meet. These obligations are not aspirational guidelines. They are enforceable requirements, and the Commission actively monitors compliance.
The seven obligations require providers and workers to:
- Act with respect for individual rights to freedom of expression, self-determination, and decision-making
- Respect the privacy of people with disability
- Provide supports and services in a safe and competent manner
- Act with integrity, honesty, and transparency
- Promptly take steps to raise and act on concerns about quality and safety
- Take all reasonable steps to prevent and respond to violence, exploitation, neglect, and abuse
- Take all reasonable steps to prevent and respond to sexual misconduct
Breach scenarios can involve any one of these obligations — or multiple obligations at once. The examples below illustrate how each can be violated in practice.
NDIS Code of Conduct Examples by Obligation
The following NDIS code of conduct examples are drawn from Commission guidance, published enforcement actions, and sector-wide incident patterns. Each scenario is mapped to a specific obligation to help providers identify comparable risks in their own operations.
Obligation 1: Failing to Respect Participant Rights
Participants have the right to make their own decisions about their lives and supports. This includes decisions that others may disagree with. A breach occurs when a provider overrides, ignores, or manipulates these choices.
The Tamina scenario — published in NDIS Commission guidance — illustrates how a provider violated this obligation through unconscionable sales conduct.
Tamina, a plan-managed participant, was approached by a provider who pressured her into purchasing assistive technology she did not need or request. The provider used high-pressure sales tactics, misrepresented what the technology would do, and exploited Tamina’s limited understanding of her NDIS plan.
This conduct was referred to the Australian Competition and Consumer Commission (ACCC) as well as the NDIS Commission. The provider breached Obligation 1 by overriding Tamina’s right to make an informed, free decision. They also breached Obligation 4 by acting dishonestly and without transparency.
Similar code of conduct violations arise when providers make decisions on behalf of participants without seeking input, restrict participants from accessing other providers, or use emotional pressure to influence support choices.
Obligation 2: Privacy Violations
Participants share sensitive personal, medical, and financial information with their providers. Providers must handle this information with strict confidentiality. Privacy breaches are among the most common NDIS code of conduct examples reported to the Commission.
A support worker discussed a participant’s mental health diagnosis and living situation with other clients during a group activity. The participant had not consented to this disclosure.
Additionally, a registered provider stored participant records on an unsecured shared drive accessible to all staff — including those with no relationship to those participants.
Both situations constitute breaches of Obligation 2. The Commission expects providers to have documented privacy policies, access controls, and staff training on confidentiality requirements.
Privacy breach scenarios also include sharing participant images on social media without consent, providing participant information to family members without the participant’s agreement, and failing to secure physical files or electronic records.
Obligation 3: Incompetent or Unsafe Service Delivery
Delivering supports in a safe and competent manner requires qualified workers, appropriate supervision, and systems that ensure quality. This obligation is the most frequently cited area in serious enforcement cases.
A disability support worker was assigned to assist a participant with complex medical needs, including bowel care and pressure injury management. The worker had received no specific training for these tasks.
Over several months, the participant developed serious pressure injuries. The provider had no clinical oversight process and had not assessed whether the worker had the necessary skills before assigning the task.
The participant was hospitalised. The Commission investigated and found both the worker and the provider in breach of Obligation 3. The provider also faced scrutiny for failing to have a proper incident management system — see our NDIS incident management guide for what these systems should include.
Other common breach scenarios under Obligation 3 include providing medication support without appropriate training, failing to follow a participant’s behaviour support plan, and delivering services that fall outside a worker’s competence.
Obligation 4: Dishonesty and Lack of Transparency
Integrity and transparency are foundational requirements. Code of conduct violations under this obligation often involve financial conduct — billing for services not delivered, falsifying records, or misrepresenting provider credentials.
A provider submitted claims to the NDIS for support hours that were never delivered. The provider also claimed for two workers attending a session when only one was present.
When the Commission audited the provider’s records, the discrepancies were identified. The provider had no documentation to support the claims. As a result, the NDIS sought repayment of overpaid funds. The provider faced civil penalties and was subsequently de-registered.
Honesty obligations also apply to workers who falsify timesheets, to providers who hide adverse events from participants, and to anyone who misrepresents their qualifications when seeking work in the sector.
Obligation 5: Failure to Raise and Act on Safety Concerns
Workers and providers must act promptly when they become aware of risks to participant safety or quality of care. Staying silent — even out of loyalty to a colleague — is itself a breach.
A support worker observed a colleague behaving aggressively toward a participant during a home visit. The worker did not report the incident to management. The aggressive behaviour continued over several weeks and escalated to physical rough handling.
When the incidents were eventually discovered, both the perpetrating worker and the observing worker faced investigation. The observing worker breached Obligation 5 by failing to raise the concern promptly. The Commission took the position that silent witnesses in positions of responsibility are themselves in breach when they fail to act.
Understanding NDIS reportable incidents is essential here. Providers must have clear pathways for workers to raise concerns without fear of retaliation. Without these systems, Obligation 5 breaches become more likely.
Obligation 6: Violence, Exploitation, Neglect, and Abuse
This obligation carries the most serious consequences when breached. NDIS Commission cases involving neglect, exploitation, and abuse have resulted in banning orders and significant financial penalties.
Staff at a residential disability service routinely left a non-verbal participant in soiled continence products for extended periods. Management was aware the staffing levels were inadequate to meet participant needs but continued to roster only one worker overnight for a house of four participants.
The neglect was identified after a family member made an unannounced visit. The Commission found multiple breaches of Obligation 6. The provider was required to implement a mandatory improvement plan. Two workers received banning orders for their direct involvement in the neglect.
Financial exploitation is also a critical area. Breach scenarios include workers borrowing money from participants, influencing participants to change their wills, or facilitating unauthorised access to participant funds. For related guidance, see our NDIS Practice Standards guide on rights and safeguarding obligations.
Obligation 7: Sexual Misconduct
Sexual misconduct within NDIS services is treated as one of the most serious categories of breach. The power imbalance between providers and participants makes any sexual relationship between a worker and participant inappropriate — regardless of apparent consent.
A support worker developed a personal relationship with a participant during in-home support sessions. The worker began communicating with the participant outside of work hours, using personal contact details. The relationship became sexual over time.
When the provider became aware, they dismissed the worker. However, they had failed to report the matter to the Commission or to police as required. The Commission found the provider in breach of Obligation 7 for inadequate prevention systems and for failing to respond appropriately once aware of the conduct.
Prevention systems for Obligation 7 include clear policies on professional boundaries, mandatory training for all workers, and a reporting process that participants can access independently of the provider.
Real Commission Enforcement Cases
Published NDIS Commission cases provide the most direct evidence of how code of conduct violations are investigated and penalised. The following cases illustrate the seriousness of enforcement action.
Case: Oak Tasmania — $1.1 Million Penalty
Oak Tasmania (formerly Southern Cross Care Tasmania) received one of the largest penalties in NDIS enforcement history. The provider faced a $1.1 million civil penalty following serious failures in participant safety, reporting obligations, and governance.
The failures included inadequate responses to reportable incidents, poor record-keeping, insufficient staff supervision, and a failure to take action when safety concerns were raised internally. The case demonstrated that systemic governance failures — not just individual worker misconduct — can result in major penalties.
This case is a landmark example of how the Commission takes action when providers fail to maintain adequate safeguarding systems. See the Commission’s compliance and enforcement page for more published enforcement outcomes.
Case: Banning Orders for Individual Workers
The Commission has issued banning orders against numerous individual workers for code of conduct violations. These orders prevent the named person from delivering any NDIS supports for a specified period or permanently.
Published banning order cases include workers who physically assaulted participants, workers who financially exploited participants, and workers who formed inappropriate sexual relationships with the people they supported.
Importantly, banning orders can also be issued against providers who knowingly employed workers with known histories of misconduct. This reinforces the importance of thorough pre-employment checks, including those described in our NDIS worker screening guide.
Case: De-Registration for Systemic Failures
Several providers have lost their NDIS registration following investigations into systemic code of conduct violations. In these cases, the Commission found that the provider’s overall governance, culture, and practices created an environment where breaches were likely or ongoing.
De-registration means the provider can no longer receive NDIS funding. Participants must be transitioned to alternative providers. The reputational and financial consequences are permanent. These NDIS Commission cases underscore that the Commission looks beyond individual incidents to assess whether a provider has the systems and culture to deliver safe services.
What These Cases Teach Providers
Real enforcement cases consistently reveal the same underlying failures. Understanding these patterns allows providers to take targeted preventive action.
| Failure Pattern | What It Looks Like | Preventive Action |
|---|---|---|
| Inadequate incident response | Incidents not recorded, reported, or investigated promptly | Implement a formal incident management system |
| Undertrained workers | Workers assigned tasks beyond their competence | Conduct skills assessments before assigning complex tasks |
| Poor supervision | Workers operating without oversight for extended periods | Schedule regular supervision and performance reviews |
| Weak reporting culture | Workers reluctant to raise concerns about colleagues or management | Establish anonymous reporting channels; train workers on obligations |
| Inadequate screening | Workers with concerning histories employed without proper checks | Apply thorough pre-employment checks; use our worker screening guide |
| Financial mismanagement | Inaccurate claims, billing for undelivered services | Implement service delivery verification and claims reconciliation |
| Governance failures | Leaders unaware of frontline practice, no quality oversight | Use our NDIS compliance checklist for regular governance reviews |
How to Identify Potential Breach Scenarios in Your Organisation
Most code of conduct violations are preventable. They typically start as small lapses that are not caught because the right systems are not in place. Providers who actively look for early warning signs can intervene before a minor issue becomes a serious breach.
Conduct Regular Internal Audits
Review a sample of service delivery records, support plans, and incident logs each quarter. Look for gaps, inconsistencies, and patterns that might indicate a systemic problem. Our NDIS compliance checklist provides a structured framework for this review.
Create Psychological Safety for Raising Concerns
Workers who fear retaliation will not report concerns. Providers must create an environment where raising issues is expected and valued — not punished. This is one of the lessons that comes through most clearly in NDIS Commission cases. The Commission has shown repeatedly that it will look at a provider’s reporting culture when assessing systemic compliance.
Review Participant Feedback Systematically
Participant feedback — including complaints — is one of the earliest indicators of potential code of conduct violations. Providers who take complaints seriously and investigate them thoroughly are much better positioned than those who treat complaints as nuisances. See our NDIS reportable incidents guide for how to handle concerns that may require Commission notification.
Watch for Warning Signs in Worker Behaviour
Individual warning signs that may indicate a breach risk include:
- Workers who resist supervision or observation of their practice
- Workers who discourage participants from contacting family or other providers
- Workers who are frequently alone with participants contrary to care plan requirements
- Workers who accept gifts or personal favours from participants
- Workers who seem to be developing overly personal relationships with participants
- Unexplained financial transactions on participant plans or accounts
Document everything. If you identify a potential breach, start documenting immediately. The Commission will look closely at how quickly you identified the issue and how decisively you acted. Prompt, well-documented responses can significantly reduce the severity of enforcement outcomes.
Align Your Service Agreements With Code Obligations
Clear service agreements set expectations for both providers and participants from the outset. A well-structured NDIS service agreement template should include participant rights, complaint pathways, and what participants can expect from workers. This creates a documented baseline that supports compliance with multiple code obligations at once.
Build Technology Into Your Compliance Process
Manual compliance processes are prone to gaps. Purpose-built NDIS software for providers can automate incident logging, flag overdue reviews, track worker training completion, and generate compliance reports. Technology does not replace good judgment — but it reduces the risk that critical steps are missed.
Remember: The Commission does not need to wait for a reportable incident to investigate a provider. Participant complaints, worker disclosures, and third-party reports can all trigger investigations. Providers who rely only on their own incident reporting as a compliance signal are operating with incomplete information.
People Asked About (PAA): Common Questions on Breach Scenarios
What counts as a breach of the NDIS Code of Conduct?
Any action or omission that violates one or more of the seven obligations constitutes a breach. This includes both deliberate misconduct (such as abuse or fraud) and negligent failures (such as poor supervision or inadequate record-keeping). Breach scenarios range in severity from minor procedural lapses to criminal conduct.
How does the NDIS Commission investigate complaints?
The Commission receives complaints from participants, families, workers, and other providers. It then assesses the complaint, gathers information from the provider, and may request additional documentation or conduct interviews. Depending on the findings, it may issue compliance notices, enforceable undertakings, banning orders, or refer matters to other agencies. See the Commission’s enforcement page for detailed process information.
What happens if a worker breaches the code but the provider did not know?
The provider may still face scrutiny. The Commission assesses whether the provider had adequate systems to prevent, detect, and respond to the breach. If the provider lacked proper supervision, screening, or reporting processes, it may be found to have contributed to the breach even without direct knowledge.
Can a single incident result in a banning order?
Yes. A single serious incident — particularly one involving violence, sexual misconduct, or deliberate exploitation — can result in a banning order. The Commission assesses the severity of the conduct, the vulnerability of the participant, and whether the person poses an ongoing risk.
How Inficurex Helps Providers Prevent Code of Conduct Violations
Inficurex exists to help NDIS providers build robust compliance systems before something goes wrong. Our resources cover every aspect of code compliance — from understanding your obligations to implementing the systems that protect participants and your business.
We provide:
- A comprehensive NDIS compliance checklist to audit your current practices
- Guidance on incident management and reportable incidents
- Worker screening guidance through our NDIS worker screening guide
- Practice standards alignment resources via our NDIS Practice Standards guide
- Ready-to-use NDIS service agreement templates
- Purpose-built NDIS provider software to automate compliance tracking
Audit Your Compliance Today
Use our free NDIS compliance checklist to identify where your organisation may be at risk. The best time to find a gap is before the Commission does.
Frequently Asked Questions
Common NDIS code of conduct examples include pressuring participants into unnecessary purchases, sharing participant information without consent, assigning workers to tasks beyond their competence, billing for services not delivered, staying silent when abuse is witnessed, neglecting a participant’s physical care, and forming sexual relationships with participants.
Oak Tasmania received a $1.1 million civil penalty for systemic safety and reporting failures. The case involved inadequate responses to reportable incidents, poor record-keeping, insufficient supervision, and governance failures. It is one of the largest penalties issued by the NDIS Commission.
The Tamina scenario involves a provider using unconscionable sales tactics to pressure a plan-managed participant into purchasing assistive technology she did not need. The conduct was referred to both the NDIS Commission and the ACCC. It illustrates breaches of Obligation 1 (participant rights) and Obligation 4 (honesty and transparency).
There are seven categories of obligations under the NDIS Code of Conduct, and violations can occur within any of them. In practice, many breach scenarios involve multiple obligations simultaneously — for example, violence (Obligation 6) is often accompanied by a failure to report (Obligation 5) and inadequate systems (Obligation 3).
Yes. The Commission can investigate and take action where practices create a risk of harm — even if no injury has yet occurred. This includes providers with systemic governance failures, inadequate supervision arrangements, or policies that do not meet code requirements.
Providers can reduce risk through thorough worker screening, robust incident management systems, regular staff training, clear service agreements, strong supervision practices, and systematic compliance auditing. Using purpose-built NDIS compliance tools and referencing our complete NDIS Code of Conduct guide are practical first steps.