Record keeping is the least glamorous part of running a provider, and one of the most tested at audit. The reason is simple: your records are the evidence that everything else happened. A policy, a support, a screening check, an incident response, none of it counts at audit if you cannot produce the record when asked. So it is worth knowing exactly what to keep, for how long, and in what form.

Who this is for

SIL and disability providers, practice managers, and anyone setting up or cleaning up a record-keeping system before an audit or registration.

How long: seven years, with one exception that catches people out

The headline is right. Most NDIS records must be kept for at least seven years, measured from when the record was created, or from the last date you provided a service, whichever is later.

The exception is the one providers forget. For child participants, records must be kept until the participant turns 25. For a participant supported from a young age, that can be a far longer obligation than seven years. If you support children or young people, build your retention around the age rule, not the seven-year default, or you risk deleting records you were still required to hold.

And one more: some record types can carry longer retention under state or territory law. Seven years is the NDIS floor, not always the ceiling. If in doubt, keep them.

What actually falls into the seven-year class

It is broader than just participant files. The records you are expected to hold and produce include:

  • Participant records — service agreements, support plans, assessments, and your progress and shift notes (the day-to-day evidence of support, covered in shift notes that survive an audit).
  • Incident reports — the full record, including investigation and outcome.
  • Complaints records — what was raised, how it was handled, and what changed.
  • Workforce and screening documentation — worker screening status, orientation and training currency for every worker (see worker screening and training currency).

In other words, the things an auditor asks for are exactly the things the retention rules cover. That is not a coincidence. The retention period exists so that the evidence is still there when someone needs to check your work, years later.

Keeping a participant's records after they leave

This one is worth stating on its own because it feels counter-intuitive. When a participant leaves your service, you do not delete their records. The retention clock runs from the last date of service, so their file has to be kept for the full period after they have gone. Archiving is fine. Deleting is a breach. The same applies if you stop delivering a particular support, the records of the support you did deliver still have to be retained.

Digital is fine, if it meets four conditions

You do not have to keep paper. The NDIS Commission accepts digital record keeping, and for most providers it is the only realistic way to handle the volume and the retrieval. But "digital" is not automatically compliant. The records have to be:

  1. Stored securely — protected against loss and unauthorised access.
  2. Tamper-evident — they cannot be altered without an audit trail. If a note can be silently edited after the fact, it stops being reliable evidence.
  3. Backed up — a single device or a single copy is not a system.
  4. Retrievable — you can actually find and produce a specific record when it is asked for, quickly.

That fourth point is where spreadsheets and shared drives quietly fail. The records technically exist, but no one can find the right note for the right participant on the right date inside the audit window. (We wrote about why spreadsheets break down as a compliance system.) An auditor does not reward you for having the record somewhere. They reward you for producing it.

Make retention automatic, not a filing chore

The honest problem with record keeping is not that providers do not understand the rules. It is that doing it consistently, securely and retrievably, for every participant and every worker, across seven years, is genuinely hard with paper, inboxes and spreadsheets.

That is the part software should carry. With Clearline, the records create themselves as you work, captured at the point of care, stored in Australia, tamper-evident with an audit trail on every change, backed up, and retrievable in seconds by participant, date and standard. The retention obligation stops being a filing job you have to remember and becomes a property of the system. The core record-keeping and audit features are included for every provider, free for your first two participants.

Seven years is a long time to be able to answer one question: can you produce the record? Build the system so the answer is always yes.

Records that keep themselves.

Captured at the point of care, stored in Australia, retrievable in seconds. Free for your first two participants.

This article is general information, not legal advice. Retention obligations can vary by record type and by state or territory law. Always confirm your obligations with the NDIS Quality and Safeguards Commission.