Why sharing is so messy right now

A participant rarely has just one person in their corner. There is the SIL provider running the house, the support coordinator holding the plan together, the OT writing the functional capacity assessment, and the family who knows the person better than any document ever will. For the support to work, all of them need to share pieces of the same picture.

So they do, with the tools they already have. A report goes out as an email attachment. A handover detail gets sent as a text. A consent form is scanned and forwarded. A spreadsheet of contacts lives on someone's laptop. It is fast and it feels normal, because these are the tools everyone has. The trouble is that none of them were built for sensitive information about a vulnerable person, and the cracks only show when something goes wrong.

By the time a plan review comes around, nobody can say with confidence who holds what. The OT's report is in three inboxes. An old version is still circulating. A worker who left six months ago still has the participant's details on their phone. None of that was anyone's bad intention. It is just what happens when important information moves through tools that were designed for convenience, not care.

The risk nobody means to create

NDIS providers are expected to handle personal information in line with the Australian Privacy Principles and the NDIS Code of Conduct. The principle that matters most here is a simple one: you have to keep the personal information you hold secure, and you have to be able to account for it.

That is exactly the part an email cannot do. The moment a report leaves as an attachment, you have lost control of it. You cannot see who opened it, you cannot stop it being forwarded, and you cannot take it back. The participant may have agreed to share it with one provider, but consent given once to one person is not the same as control over where the document travels next. This is not about fear, and it is not about anyone doing the wrong thing on purpose. It is that the convenient tools simply were not built to keep a promise about someone else's private information.

Consent given once is not the same as control. The safe version is sharing you can still see, and still take back.

What safe sharing actually requires

You do not need to be a privacy lawyer to get this right. Safe information sharing in the NDIS comes down to four things. If the way you share has all four, you are on solid ground. If it is missing one, that is where the risk sits.

01 · Consent at the source

The person, or their family, decides before anything moves.

Sharing should start with the participant or their nominee saying yes to this person seeing this information, not with a document already in transit. Consent at the source means the decision happens first, on the record, and the share follows from it.

02 · Only what is needed

Share the piece, not the whole file.

The OT needs the context relevant to their assessment, not the participant's entire history. The provider needs the recommendation, not every note the coordinator ever wrote. Sharing the minimum necessary keeps the circle of information as small as the job allows.

03 · Every access logged

You can always answer "who saw what, and when".

If an auditor, or a worried family member, asks who has accessed a participant's information, you should be able to answer in seconds. A log of every access is what turns a vague "it was shared securely" into something you can actually stand behind.

04 · Revocable any time

Access can be switched off, not just handed out.

A support worker moves on. A provider relationship ends. Consent changes. Whatever the reason, the family should be able to withdraw access and have it actually stop. You cannot un-send an email. Safe sharing means the off switch is real.

A practical way to do it: consent-based sharing

The fix is to stop treating sharing as moving a copy from one place to another, and start treating it as granting access to a single record that the participant controls. Instead of the OT's report becoming four attachments in four inboxes, there is one report, and the people who need it are given access to it, with the family's consent, for as long as the family allows.

This is the model Clearline is built on. Clearline Connect links the provider, the coordinator, the OT and the family around one participant record, and every connection runs on consent. A connection is requested, the family approves it, and only then does anything flow. The family can see who is connected, and can revoke any connection at any time. Every cross-app access is logged, and participant data is stored and processed in Australia. You can see how Connect works in detail, including the consent and approval steps.

Connect, in one line

Nothing is shared until both sides approve. The family sees who is connected, every access is logged, and access can be revoked any time. That is the difference between sharing a copy you can never get back and granting access you can always switch off.

What it looks like across the care team

When sharing works this way, the day-to-day gets simpler for everyone, and the participant is better protected at the same time. The OT signs a report in Scrive and, with consent, it appears for the provider and feeds the coordinator's funding case, cited and dated, with no attachment to chase. The family, in Compass, can write what only they know about their person and choose exactly which providers see it. The provider's records and the coordinator's plan stay in step because they are reading the same source, not three copies of it.

None of that requires anyone to give up control. It is the opposite. The information moves more freely to the people who should have it, and far less freely to anyone who should not, because the family is holding the switch the whole time. That is the quiet promise underneath good NDIS compliance software: the evidence an auditor asks for is the same record the care team already works on, shared the safe way by default.

Share the record. Keep the control.

Clearline Connect links the whole care team around one participant, with consent on every connection, every access logged, and the family able to revoke any time. Australian-hosted. Free to start, free for your first two participants on Aura OS.

See how Connect works → Start free →

Questions

Is it legal to share NDIS participant information with other providers?

Yes, with the participant's consent and appropriate security. NDIS providers must handle personal information in line with the Australian Privacy Principles and the NDIS Code of Conduct. The safe way to share is consent first, only what is needed, with every access logged and the ability to revoke. Emailing a report to another provider can meet the letter of consent but loses control of the document, which is the part that creates risk.

How do I share a report with a provider without emailing it?

Use a consent-based platform rather than an attachment. On Clearline Connect, a signed report is shared to the provider through the platform and appears in their app, with the family approving the connection first. There is no attachment to forward, the access is logged, and the family can revoke it at any time.

Who controls what is shared in Clearline Connect?

The participant or their family. Every connection waits on approval from both sides, the family can see who accessed what, and they can revoke access at any time. Every cross-app read is audit-logged, and participant data is stored and processed in Australia.