The importance of record keeping and information management for NDIS providers

Posted 1 year ago by Rebecca St Clair
Strong information management systems provide the foundation for continuous improvement and high quality, safe service delivery. (Source: Shutterstock
Strong information management systems provide the foundation for continuous improvement and high quality, safe service delivery. (Source: Shutterstock

OPINION – Records are an important part of making sure information is available when it is needed but it is often overlooked. 

Record keeping requirement compliance is one of the main sources of information used by auditors, tribunals and courts to verify that an individual has been cared for appropriately.

However, record keeping and information management systems can often be overlooked particularly when an National Disability Insurance Scheme (NDIS) provider’s capacity and resources are stretched.

Now more than ever, the risks arising from remote working, dependence on agency staff and increased absenteeism make information management an essential part of planning for business continuity.

Strong information management systems also provide the foundation for continuous improvement and high quality, safe service delivery.

Information management and the NDIS Practice Standards

Under the NDIS, providers generally need to meet record keeping requirements.

Registered NDIS providers that are subject to the Core Module must have an information management system in place that is relevant and proportionate to the size and scale of the organisation.

The systems must record all client information in an accurate and timely way.

Providers must ensure that documents are stored with appropriate use, access, transfer, storage, retrieval, retention destruction and disposal processes relevant and proportionate to the scope and complexity of supports delivered.

Good progress noting supports high quality care

Progress notes capture progress towards a client’s goals, implementation of support plans and provide a record of events during each appointment or shift. This enables staff to identify, communicate and coordinate around the needs of the client.

Whether considered from the perspective of care delivery, NDIS quality audits, or legal protection, a well-written record is a provider’s best evidence to show that services have been delivered properly and with care.

Progress noting principles 

The following principles apply generally to all progress noting, clinical records, reports and planning documents:

  • Write legibly and always use a pen if writing notes.
  • If note keeping is done by hand and corrections or deletions are required, rule a line through the error, write the correction and initial the change. Make sure the original entry is still readable. Never erase or use whiteout.
  • Document observations and actions accurately; clearly state facts of the situation.
  • Use language with which you are familiar and comfortable – do not use technical terms unless you (and readers) know what it means.
  • Record all relevant information as completely and concisely as possible.
  • Record observations, events and conversations as soon as possible after they occur. Timely recording improves the accuracy and completeness of what is captured.
  • Enter the date and time and sign all entries in the record. Develop and follow consistent protocols for date and time format, use of initials, position designations and other identifiers in the record.
  • Where services are delivered to multiple clients in the same environment, make sure each client’s record is clearly distinguishable; make sure the record is for the correct client before making an entry, particularly where noting healthcare and medication issues.
  • Check previous entries, particularly progress notes. This ensures continuity, coordination and follow-ups on care issues.
  • Develop and follow guidance on accepted abbreviations.
  • Where the information may be relevant to progress reports or care planning, consider the audience (what they need to know and action).

Steps for effective information management

The best practice standards for information security management systems are set out in the International Organization for Standardization’s ISO 27001.

While NDIS providers are not required to obtain ISO 27001 certification, it offers a useful framework of measures and controls that can be tailored to what is relevant and proportionate to an organisation or provider.

At a high level, the steps for effective information management in ISO 27001 require that:

  1. There is an ‘Inventory of Information Assets’ that records anything where information is stored, processed or accessible (including IT hardware, software, people and physical files) and owners of those ‘assets’.
  2. Information that is collected and kept is classified according to the organisation’s classification system.
  3. Information is handled in a secure way according to organisational procedures for its classification type.

Classifying and handling information 

Procedures for handling information should be developed and implemented in accordance with the organisation’s information classification scheme.

What is an appropriate classification depends on your business, but should be relevant to operations and proportionate to the nature of information handled.

Generally, information is classified by reference to legal requirements, value (or risk) to the organisation, and consequences (for example, sanctions) for unauthorised disclosure or modification.

Shifts in the workplace, such as remote working, transition of staff and/or clients, are a good catalyst to remind staff and stakeholders of organisational requirements and personal responsibility for protecting personal information and privacy.

At a minimum, the information management system must set out what and how personal data is collected (with consent), classified and handled, as well as the controls for protecting from loss, destruction, disposal and unauthorised access or disclosure of the records that hold such information, in accordance with the Australian Privacy Principles, Privacy Act 1988 and other legal requirements that may apply.

Remember any record containing personal information is subject to high standards of confidentiality and integrity.

You should also make sure that each client understands what personal information is collected, gives informed consent to its collection and that your organisation’s confidentiality policies are communicated in a way that the client is most likely to understand.

The system should also document ‘access controls’ that clarify who needs to access, know, and use information of different classification types and who is authorised to edit or destroy records.

Access control rules should be supported by formal procedures and defined responsibilities and may need to be reviewed (or removed) based on changes in roles (particularly where staff leave the organisation).

What is ‘relevant and proportionate’?

A number of systems that the NDIS Quality Indicator Guidelines require providers to establish and maintain (including information management) are described as needing to be relevant and proportionate to the scope and complexity of supports delivered and the size and scale of the organisation.

Unfortunately, there is no further guidance on what is relevant and proportionate to matters of size, scale, scope and complexity.

Generally, a larger organisation will require more comprehensive and detailed procedures, whereas a small organisation that operates with a few staff may not need the same level of detail.

Considerations that are relevant to issues of size, scale, scope and complexity, include but are not limited to:

  • What is the ‘span of control’ within your organisation? What are the factors influencing the span of control (e.g. ratio of managers to supervised staff, high numbers of new staff)?
  • What needs to be documented to ensure enough documentation is available to address typical activities in the day-to-day working environment?
  • What is needed to provide accountability for how supports are delivered and decisions that are made?
  • Is, or will the organisation be, registered to provide ‘high risk’ supports (high intensity personal activities, specialist behaviour supports, disability accommodation or early childhood interventions)?

What would you like to know more about? Tell us in the comments below or send an email to [email protected].


This commentary is general in nature and provided for informational purposes only. It is not intended to be comprehensive and does not constitute legal advice.  You should seek legal or other professional advice or consult with the appropriate government authority if you are unsure about how the issues raised in this commentary apply to the circumstances of your business.

Kai Sinor is a legal practitioner and former Assistant Director for Compliance at the NDIS Quality and Safeguards Commission. He specialises in regulatory matters and has worked across a variety of social justice and regulatory issues for the past decade. Kai is a Senior Lawyer at MPS Law, where he provides legal services to NDIS providers on compliance, corporate and commercial matters.


Original publication date: May 12, 2020