• Consent must be informed, specific, and freely given. A form that asks for broad or open-ended agreement to share all your information is not valid under Australian privacy law.
  • Providers can ask you to consent to sharing information that is reasonably necessary to deliver safe, effective NDIS supports. They cannot ask you to sign away rights you are entitled to keep.
  • You can withdraw consent at any time. Withdrawing does not automatically end your service agreement.
  • Blanket consent forms, signing under pressure, and consent obtained without a proper explanation of what you are agreeing to are all problems you have the right to challenge.
  • NDIS auditors now require granular, purpose-specific consent records. If a provider is using vague, one-size-fits-all forms, that is a compliance problem on their end, not yours.

An NDIS consent form is a document that records your agreement to a specific action by a provider. In practice, consent forms are used for several different purposes:

  • Information sharing: agreeing to the provider sharing your health or support records with other members of your care team, your plan manager, or government agencies.
  • Photography and recording: agreeing to being photographed or filmed for care documentation, training, or promotional purposes.
  • Assessment and observation: agreeing to a provider conducting a formal assessment, observation period, or outcome measurement.
  • Involving additional people: agreeing to a student, supervisor, or other third party being present during your sessions.
  • Emergency contacts and next of kin: agreeing to the provider contacting a nominated person on your behalf in specified circumstances.

Each of these is a separate purpose, and each should have its own consent process. Providers who use a single form to cover all of the above in one signature are not meeting best-practice standards for consent management.

Two main laws govern how NDIS providers handle consent:

Privacy Act 1988

The Privacy Act applies to most NDIS providers and covers how they collect, use, store, and share your personal information, including sensitive information such as health records and disability information.

Under the Privacy Act, providers must:

  • Only collect personal information that is reasonably necessary for their functions.
  • Tell you why they are collecting the information and how it will be used.
  • Obtain your consent before using or sharing sensitive information for a purpose beyond the reason it was collected.
  • Allow you to access and correct your records.
  • Not share your information with overseas recipients without your explicit consent unless specific conditions are met.

NDIS Act 2013 and Practice Standards

The NDIS Act and the Practice Standards reinforce the principles of participant autonomy and informed decision-making. Registered providers must demonstrate, at audit, that they have obtained and documented consent appropriately. Auditors look for evidence that:

  • Consent was obtained before information was shared.
  • The consent was genuinely informed (the participant understood what they were agreeing to).
  • Consent records are retrievable and current.

A consent form signed at intake in 2022 does not automatically cover information sharing decisions made in 2026. Consent should be reviewed and refreshed when circumstances change.

The following are examples of consent requests that are reasonable and lawful:

Sharing with your treating team

A provider may ask for consent to share relevant health information with your GP, occupational therapist, physiotherapist, or other treating professionals. This is a normal and often necessary part of coordinated care.

A valid consent request for this purpose will tell you:

  • Exactly what information will be shared (for example, session notes, health assessments, or incident reports).
  • Specifically who it will be shared with (named professionals or named organisations, not β€œanyone involved in your care”).
  • Why the sharing is necessary.
  • How long the consent applies, or that it can be withdrawn at any time.

Sharing with your plan manager or support coordinator

If you have a plan manager, your provider may need to share service records and invoices with them. If you have a support coordinator, sharing progress notes and goal updates may be necessary for your coordinator to do their job effectively.

This is legitimate. Check that the consent form names your specific plan manager or support coordinator rather than giving a blanket authorisation for any third party to access your records.

Emergency contact and safety information

Providers may ask you to nominate an emergency contact and consent to that person being called in a defined emergency. This is reasonable. Check that the consent specifies what counts as an emergency under the form, rather than leaving it to the provider’s discretion.

Outcome measurements and assessments

Providers delivering certain NDIS supports may use formal outcome measurement tools (for example, a functional assessment or a quality of life measure). These tools require your participation and your agreement to the results being recorded and used in reporting. This is a legitimate consent request, provided it is explained to you clearly and you understand the purpose.

Photographs for care records

Some providers use photographs to document support needs, home modification requirements, wound care, or equipment fitting. Consent to this specific, clinical use is reasonable, provided:

  • The photographs are stored securely.
  • They are only used for the stated clinical purpose.
  • They are not shared beyond the care team without separate consent.

What Providers Cannot Ask You to Sign

A consent form that asks you to agree to β€œsharing information with anyone involved in my care” or β€œdisclosing my personal information as required” is too broad to be valid for sensitive health and disability information under Australian privacy law.

Blanket consents do not meet the legal standard of informed, specific consent. If a provider presents you with one, you can:

  • Decline to sign it and ask for a purpose-specific version instead.
  • Cross out or amend the parts you do not agree with before signing, then initial your changes.
  • Ask the provider to explain precisely what they need to share and with whom, then ask them to document that specifically.

Consent must relate to a current, identified purpose. Providers cannot ask you to pre-consent to any and all future sharing decisions. A form that attempts to obtain consent β€œfor the duration of your NDIS plan” or β€œfor as long as services are provided” for unspecified future purposes is not valid for sensitive information.

Providers cannot make the provision of NDIS services conditional on you signing a consent form that goes beyond what is genuinely necessary to deliver those services. For example:

  • You cannot be refused personal care because you declined to consent to your information being shared for provider marketing research.
  • You cannot be refused a support if you decline to consent to photographs being used in promotional materials.

There is a distinction here worth noting: if the information consent genuinely is necessary for safety (for example, sharing health information with a nurse who will provide clinical supports), a provider may not be able to deliver certain services safely without that consent. But consent that extends beyond what is operationally necessary cannot be made a condition of service.

Signing on behalf of someone else without proper authority

Providers cannot ask a family member or carer to sign a consent form on your behalf unless that person has legal authority to do so (such as a guardianship order or an enduring power of attorney covering this type of decision). The fact that a family member is present or pays your invoices does not give them authority to consent on your behalf.

Providers cannot ask you to sign a consent form to cover information sharing that has already happened without your permission. If a provider shares your information without consent and then asks you to sign a form retroactively, this is a problem. The sharing that already occurred was without valid consent and may constitute a breach of the Privacy Act.

Before signing any NDIS consent form, check that it answers all of the following:

  • What specific information is being shared or used?
  • Who specifically will receive the information (named individuals or named organisations)?
  • What is the purpose of the sharing?
  • How long does this consent last, or can it be withdrawn at any time?
  • What happens if I withdraw consent?
  • Is the consent form separate from the service agreement and other documents?
  • Is the form written in plain language I can understand?
  • Has someone explained the form to me and answered my questions?

If any of these are missing from the form, ask the provider to address them before you sign.

You can withdraw any consent you have given, at any time, by notifying the provider in writing. A written withdrawal (email is sufficient) creates a record that the withdrawal happened and when.

After you withdraw consent:

  • The provider must stop using or sharing your information for the purpose you have withdrawn consent from.
  • They may not retroactively undo any sharing that already occurred, but they must comply with your withdrawal going forward.
  • They should confirm in writing that they have received and acted on your withdrawal.

If withdrawing consent means the provider cannot safely deliver a specific support, they should discuss this with you openly and explore alternatives. They cannot simply reduce or terminate services without following the appropriate process.

The NDIA also allows participants to update or withdraw consent for information sharing with the NDIA itself. You can do this by contacting the NDIA directly by phone, email, mail, or in person at an NDIS office.

If you have a legal guardian, an attorney under an enduring power of attorney, or a nominee appointed through the NDIA, that person may have authority to make consent decisions on your behalf for certain matters.

Important points:

  • The authority of a nominee, guardian, or attorney is defined by the relevant legal document or appointment. It is not unlimited.
  • Even where someone has legal authority to consent on your behalf, providers should still explain what is being agreed to and involve you as much as possible in the process.
  • Providers should not treat a family member who is present, but not legally appointed, as having the authority to consent on your behalf.

If you are not sure about your own decision-making rights or who is authorised to act for you, contact the Office of the Public Advocate in your state or territory, or speak with a disability advocate through Disability Advocacy Network Australia (DANA).

At sign-up:

  • A provider presents a single, multi-page consent form covering all possible information sharing in one signature.
  • The form contains undefined terms like β€œrelevant parties”, β€œassociated organisations”, or β€œservice partners” without naming them.
  • You are asked to sign before you have had a chance to read the document.
  • The provider says the form is β€œstandard” and nothing can be changed.

During service delivery:

  • You are asked to sign a new consent form with no explanation of what changed or why.
  • A worker asks for your consent verbally and does not document it.
  • You are told that a third party already has access to your records, and then asked to sign a form retroactively.

Around photography and media:

  • You are asked to sign a photography consent that includes social media publishing rights, without this being clearly explained.
  • Marketing consent is bundled into a clinical or service consent form.

Around exit or complaints:

  • You are asked to sign a release or waiver after raising a complaint, as part of a β€œresolution” process. You are under no obligation to sign anything that limits your rights.

Key External Resources

Carevo connects NDIS participants with providers who communicate clearly, document consent properly, and respect your right to make informed decisions. Search our provider directory to find providers in your area.

Frequently Asked Questions

Is signing a consent form mandatory to receive NDIS services? Providers can require consent for sharing information that is genuinely necessary to deliver safe supports. They cannot make services conditional on consent that goes beyond what is operationally necessary, such as consent to marketing use of your information or photography for promotional purposes.

What is a blanket consent form? A blanket consent form asks you to agree to broad, unspecified information sharing such as β€œwith anyone involved in my care.” These are not valid for sensitive health and disability information under the Privacy Act 1988. Valid consent must identify what information, who receives it, and for what purpose.

Can I withdraw consent after signing? Yes, at any time, in writing. The provider must stop sharing your information for that purpose from the point they receive your withdrawal. Prior sharing that occurred with your consent remains valid, but future sharing must stop.

Can a provider share my information without consent? Only in limited circumstances: where required by law (such as mandatory reporting obligations), or where there is a serious and imminent threat to health or safety and consent cannot be obtained in time. These exceptions are narrow and should not be used by providers to justify routine information sharing.

What should I do if a provider shared my information without consent? Raise it in writing with the provider first. If unresolved, make a complaint to the NDIS Quality and Safeguards Commission on 1800 035 544. You can also lodge a privacy complaint with the Office of the Australian Information Commissioner at oaic.gov.au.

Can I cross out parts of a consent form before signing? Yes. You can amend a consent form before signing, as long as both parties agree to the amended version. Initial and date any changes, and ask the provider to countersign. Keep a copy of the amended form.