NDIS IT support means keeping participant records, claiming systems and a distributed support workforce running securely — to the standard the NDIS Quality and Safeguards Commission and the NDIS Practice Standards now expect. Get it wrong and you risk a reportable breach, a failed audit, or support workers locked out of care plans.
Disability service providers sit on some of the most sensitive personal data in the country and run it across phones, tablets and vehicles spread over the whole of Melbourne. That combination — concentrated risk and a mobile workforce — is what makes the IT demanding. Here’s what providers actually need, and where most are exposed.
Registered, unregistered, and the range of services
“NDIS provider” covers a wide spread of organisations, and the IT requirements shift depending on where you sit. A registered provider has been audited against the NDIS Practice Standards and carries explicit obligations around governance, incident management and the handling of participant information. An unregistered provider working with plan-managed or self-managed participants has fewer audit obligations but holds the same sensitive data and the same duty under the Privacy Act — so “we’re not registered” is no reason to run loose IT.
The service types pull in different directions too. A support coordination business is mostly office and laptop work: managing plans, liaising with participants, writing reports. Supported Independent Living (SIL) and community-access services run more like a 24/7 operation across multiple houses, with workers on shift, rosters that change daily, and behaviour-support information needed at the point of care. The software looks similar from outside; the network, device and access design underneath is genuinely different.
The compliance layer: the Commission and the Practice Standards
The NDIS Quality and Safeguards Commission regulates registered providers, and a meaningful slice of its expectations land on IT. The NDIS Practice Standards include governance and operational management requirements, and the Privacy and Information Management requirements expect providers to keep participant information confidential, accurate and secure, and to control who can access it. That is an identity and data-security problem as much as a policy one.
Two points catch providers out. Accountability stays with you — “we outsourced it to an IT company” is not an answer the Commission accepts. And you have to be able to show it: if a verification or certification audit asks how participant records are protected and who can see them, you need documented access controls, an offboarding process, and evidence your backups work. Most providers can describe their intentions; far fewer can produce the evidence.
PRODA and the NDIS portals
Almost every NDIS provider lives in the government portals, and access is an identity issue with real consequences. PRODA (Provider Digital Access) is the Commonwealth identity gateway that gets staff into the myplace provider portal, the NDIS Commission systems, and the claiming and payment functions. Each PRODA account is tied to an individual, secured with two-factor sign-in, and linked to your organisation.
The risk sits in lifecycle management. When a payments officer leaves and their PRODA access isn’t revoked, you have an orphaned door into participant payment data. We treat PRODA and portal access with the same identity discipline as everything else: documented who-has-what, removed the same day someone leaves, and never shared. Shared logins remain the most common control failure we find in this sector.
Participant management and claiming software
The system at the centre of an NDIS provider’s day is its participant management platform — handling records, plans, shift notes, invoicing and the claim file that goes to the agency. That usually means Lumary, ShiftCare, Brevity, SupportAbility or Carelink, often with finance and payroll alongside.
Whether these run in the cloud or on a server in the comms room, the IT job is the same: they must be available, fast, backed up, and reachable wherever support happens. We treat them as the priority for monitoring, patching and uptime.
A SIL provider in Dandenong we work with runs records, rostering and claiming on one cloud platform. The risk was never the software — it was everything underneath: a single shared login, a flat network where one compromised PC could reach everything, unmanaged personal phones, and backups nobody had tested. None of that is the vendor’s responsibility. It’s the MSP’s, and it’s where the real exposure sits.
Protecting highly sensitive participant data
NDIS providers hold a concentration of sensitive information that makes them a deliberate target: disability and health records, behaviour-support plans, medication details, NDIS numbers, bank and plan-management details, guardianship and next-of-kin information, and often data about minors. Under the Privacy Act and the Australian Privacy Principles, much of this is “sensitive information” attracting the highest protection, and a breach likely to cause serious harm is reportable to the Office of the Australian Information Commissioner (OAIC) under the Notifiable Data Breaches scheme.
Attackers know care providers often run lean IT and a workforce that’s easy to phish, and the data is high-value — the cyber insurance market has noticed too, with premiums and required controls reflecting the risk.
The defensive baseline we hold NDIS clients to is the Australian Cyber Security Centre’s (ACSC) Essential Eight: application control, fast patching of applications and operating systems, Microsoft Office macro settings, user application hardening, restricted administrative privileges, multi-factor authentication, and regular tested backups. Most breaches we’re called in after would have been stopped or contained by getting it genuinely in place rather than half-done. If you want the staged version, we’ve written up how to reach Essential Eight maturity in 90 days.
A mobile workforce: devices, rostering and remote access
Rostering and field devices
SIL and community-access providers run on rosters that change constantly, and support workers need to see shifts, log visit notes and read care plans on a phone or tablet wherever they are. Those devices carry participant data out into the world, so they have to be managed centrally. If a tablet is lost between a shift in Footscray and the next in Sunshine, you need to remotely wipe it within minutes — not discover it’s been sitting unencrypted in a glovebox. Mobile device management through Microsoft Intune, enforced encryption, and conditional access tied to a managed device are what make field devices defensible.
Secure remote access for support workers
Workers reaching rosters and care plans from homes, group residences and their cars need access that’s both easy and locked down — not VPNs into a flat network, but identity-based access where each worker signs in as themselves, MFA is enforced, and what they reach is scoped to their role. A support worker should see their participants and shifts, not the organisation’s whole record set. We run conditional access in Microsoft 365 and build around least privilege, so one compromised account can’t expose every participant.
Identity for a high-turnover workforce
Disability services have significant staff churn — casuals, agency workers, people moving between providers. Every starter needs the right access on day one and every leaver needs it gone the same day, including PRODA. Orphaned accounts are how breaches happen months after someone’s left. We run it properly: standardised onboarding and offboarding, role-based access, and MFA everywhere.
Backups and incident readiness
A tested, isolated backup is the difference between a ransomware incident being a bad week and an existential event for a provider that can’t access medication or behaviour-support records. We cover this in our guide to backup and disaster recovery for Melbourne businesses, and it applies double when records relate to vulnerable people. Incident readiness goes further: logging, a rehearsed response plan, and the ability to retrieve records quickly when the Commission, an insurer or a family asks.
What good NDIS IT support actually covers
| Area | What it looks like done properly |
|---|---|
| Participant systems | Lumary, ShiftCare, Brevity, SupportAbility or Carelink monitored, patched and prioritised for uptime; backups tested |
| Portal access | PRODA and myplace access tied to individuals, no shared logins, removed same-day on departure |
| Data protection | Essential Eight aligned, MFA everywhere, tested isolated backups, OAIC breach readiness |
| Mobile workforce | Intune-managed phones and tablets, enforced encryption, remote wipe for lost field devices |
| Remote access | Identity-based, least-privilege, conditional access on Microsoft 365 — no flat-network VPNs |
| Compliance evidence | Documented access controls and offboarding ready for Practice Standards audits |
TechAssist is a Melbourne-based MSP, founded in 2014, with 13 Australian-employed engineers — no offshore helpdesk touching participant data. We price per user on a fixed monthly basis with no hourly billing for in-scope work, which matters in a sector budgeting against plan-funded revenue. Our cybersecurity services and broader managed IT services carry this regulated, always-on workload, and our 24/7 network operations centre in Tecoma means support doesn’t stop when a SIL house needs help overnight.
Frequently asked questions
Do the NDIS Practice Standards require specific IT controls?
They don’t prescribe particular products, but the Privacy and Information Management and governance requirements mean providers must be able to show participant information is kept secure, accurate and access-controlled. In practice that points straight at Essential Eight controls, MFA, managed identity and tested backups — and the accountability stays with the registered provider, not the IT vendor.
We’re an unregistered provider — do these IT requirements still apply?
The audit obligations differ, but the data doesn’t. You hold the same sensitive participant information and the same duty under the Privacy Act, and a breach likely to cause serious harm is still reportable to the OAIC. Running lean IT because you’re unregistered is a risk, not a saving.
How should we handle PRODA access when a staff member leaves?
Revoke it the same day, alongside their email, portal and system access, as part of a standard offboarding process. PRODA accounts are tied to individuals and must never be shared. Orphaned access is a live door into participant payment data and a common audit finding.
Where to start
If you’re unsure whether your IT would stand up to a Practice Standards audit or a breach, the honest first step is an assessment: where participant data lives, how access and PRODA are controlled, whether your backups actually restore, and where the Essential Eight gaps are. Most providers we assess have two or three serious exposures they didn’t know about — usually shared logins, unmanaged devices, or untested backups. Get in touch with TechAssist and we’ll give you a straight read on what to fix first.