Incident management and reportable incidents

Every registered provider needs an incident management system, and certain serious incidents must be reported to the NDIS Commission within set timeframes.

Key facts

All registered NDIS providers must have an incident management system that covers prevention, response, and learning.
Certain serious events are classified as reportable incidents and must be notified to the NDIS Commission within timeframes set by the rules.
Notification to the Commission does not replace obligations to contact emergency services or police when a participant is in immediate danger.

Your incident management system

The NDIS Practice Standards require every registered provider to have an incident management system in place official source (opens in a new tab) . This is not simply a form to fill in after something goes wrong. It is an organisational system that covers how your staff identify and respond to incidents as they happen, how incidents are documented, how they are reviewed, and how the organisation learns from them to reduce the risk of recurrence.

A well-designed incident management system will have clear definitions of what constitutes an incident, a straightforward process for staff to report incidents without fear of blame, timelines for reviewing and escalating reports, and evidence that learning from incidents is fed back into practice. The system must cover incidents involving participants in the delivery of supports, including those that occur in the community, not only on your premises.

What is a reportable incident

Not every incident is a reportable incident. The NDIS rules define a specific category of serious events that must be notified to the NDIS Quality and Safeguards Commission official source (opens in a new tab) . Reportable incidents include the death of a participant while receiving supports, serious injury to a participant, abuse or neglect of a participant (or alleged or suspected abuse or neglect), unlawful sexual or physical contact or assault, the use of a restrictive practice that was not authorised under the participant’s behaviour support plan, and the unexplained absence of a participant from an NDIS residential service.

The threshold is deliberately set at serious events. Everyday incidents, such as a minor fall with no lasting injury, are captured within your internal incident management system but may not trigger a Commission notification. Applying the definitions carefully, and training your staff to recognise the difference, is an important part of getting your system right.

Watch out

The categories of reportable incidents are set in the NDIS (Reportable Incidents) Rules. Review those rules directly, or the Commission’s published guidance, to ensure your staff are applying the correct definitions. Misclassifying a reportable incident as internal-only can itself be a compliance failure.

Timeframes

When a reportable incident occurs or is identified, the Commission must be notified within the timeframes specified in the rules official source (opens in a new tab) . The rules distinguish between events that require initial notification quickly (typically within a short number of days of the event) and a further detailed report that follows once the provider has investigated. The initial notification is intended to alert the Commission promptly; the later report provides the findings and corrective actions.

Because the timeframes are set in legislation and can be short, particularly for the most serious events, your incident management system should include a clear escalation pathway that brings incidents to the attention of a designated manager promptly. Waiting until you have full information before deciding whether to notify the Commission can result in a late notification, which is itself a compliance issue.

How to notify the Commission

Notifications to the Commission are made through the Commission’s online portal official source (opens in a new tab) . Your organisation will need to have registered access to the portal and nominated someone responsible for managing Commission notifications. The notification form asks for details of the incident, including the date and location, the nature of the event, the participants involved (by their NDIS number rather than name, in accordance with privacy requirements), the immediate response taken, and the investigation and corrective actions planned or underway.

Submitting the initial notification as soon as the incident is identified, even if some details are still being gathered, is generally the right approach. You can update the record as your investigation progresses. The Commission may contact you to seek additional information or, in serious cases, to initiate a formal inquiry.

Records and learning

Keeping complete records of every incident, including those that are internal-only and those reported to the Commission, is a core obligation under the Practice Standards official source (opens in a new tab) . Records must be maintained securely and retained for the period required by the rules. During an audit, the auditor will review a sample of incident records to assess whether your system is operating effectively, whether incidents have been responded to appropriately, and whether there is evidence of learning being applied.

The learning loop is often where incident management systems fall short. Recording incidents diligently but taking no action to prevent recurrence is not compliance. Your system should include a mechanism for reviewing incident patterns across your organisation, identifying themes, and feeding those insights back into training, supervision, and practice improvement. Where behaviour support is involved, incidents relating to the use of restrictive practices must also be reported through the behaviour support plan framework official source (opens in a new tab) .