NDIS Compliance for Phone Calls: Recording, Privacy & Best Practices

LEGAL DISCLAIMER: This article provides general information only and does not constitute legal advice. NDIS compliance requirements, privacy laws, and state surveillance legislation are complex and can change. Providers should seek independent legal advice for their circumstances before implementing call recording systems.

Last updated: December 2025

---

Introduction

For NDIS providers, phone calls are where service delivery meets compliance. Intake chats, booking confirmations, and service agreements often happen over the phone, which means you need proper documentation AND you’ve got privacy rules to follow. (This is especially important for after-hours calls and plan manager bookings.)

You’re dealing with the Privacy Act 1988, NDIS Practice Standards, and state surveillance laws—it’s a lot to keep track of.

This guide breaks down what you actually need to know about recording calls, getting consent, protecting privacy, and being ready for audits. We’ll also show you how doing things systematically makes compliance way easier.

The Compliance Challenge

Why phone calls create compliance risk

Phone calls are where critical moments happen:

• Participant intake and service agreement discussions
• Booking confirmations and cancellations
• Complaint handling and incident reporting
• Verbal consent for services

Unlike written agreements, phone conversations can be harder to evidence during audits or disputes unless they are recorded and properly documented.

Common compliance failure scenarios

Scenario 1: During an NDIS Commission audit, you are asked to show how consent was obtained for a service. The conversation happened by phone six months ago. The receptionist has left. There are no notes and no recording.

Scenario 2: A participant disputes what was agreed during intake. They claim you promised specific support hours. You have no record of the call. The complaint escalates.

Scenario 3: A support coordinator requests evidence of when an appointment was booked. Your calendar shows the appointment, but not who booked it, when, or what was discussed.

These situations are common. They show why systematic call documentation matters.

Consequences of inadequate documentation

NDIS Commission perspective:

• Core Module 1 (Rights and Responsibilities) requires providers to maintain accurate records.
• Practice Standard 3c requires documentation of service agreements.
• Inability to provide evidence during audits can trigger corrective action.

Privacy Act perspective:

• APP 5 requires transparent collection of personal information.
• APP 11 requires secure storage.
• Failure to meet these standards can lead to complaints to the Office of the Australian Information Commissioner (OAIC).

Practical business risk:

• Extended dispute resolution processes
• Registration compliance reviews
• Reputational damage
• Lost referrals from coordinators

Legal Framework for Call Recording

Privacy Act 1988: Australian Privacy Principles

Four APPs are particularly relevant to call recording:

APP 5 (Notification of collection):

When collecting personal information by phone, you must tell callers:

• Who you are
• How you will use their information
• Whether you are recording the call
• How they can access their information

APP 11 (Security of personal information):

Call recordings that contain personal or health information must be:

• Stored securely (encryption is recommended)
• Protected from unauthorised access
• Backed up appropriately
• Disposed of securely when no longer needed

APP 12 (Access to personal information):

Participants can request:

• Access to recordings of their calls
• Transcripts or summaries
• Corrections if information is inaccurate

You must respond within 30 days or explain why you cannot.

APP 13 (Correction of personal information):

If a participant says information in a call recording is incorrect, you must:

• Investigate the claim
• Correct it if appropriate
• Notify other parties if the information was shared

Practical implication: Your phone system needs to support notification, secure storage, retrieval, and correction workflows.

State and Territory Surveillance Legislation

Australian states and territories have different surveillance device laws. While there is variation, most permit recording if at least one party to the conversation consents.

However, best practice for NDIS providers is to notify all callers regardless of state requirements, because:

1. Providers often service participants across state borders.
2. Notification demonstrates transparency (NDIS Core Module requirement).
3. It reduces confusion about what is permitted.
4. Participants expect clear privacy information regardless of legal minimums.

State by state overview:

As of December 2024. This is general information - seek legal advice for specific situations.

Interstate calls: When recording calls across state borders, the most restrictive law usually applies. Since you may not always know where a caller is located, consistent notification is the safest approach.

NDIS Practice Standards

While the NDIS Practice Standards do not explicitly require call recording, they do require:

Core Module 1 (Rights and Responsibilities):

• Standard 1c: “The provider maintains records about the participant and management of supports in accordance with agreed confidentiality protocols.”
• This includes verbal agreements and conversations.

Core Module 3 (Provision of Supports):

• Standard 3c: “Service agreements are outcome focused, agreed to by participants, and documented.”
• Phone conversations often initiate or modify these agreements.

Supplementary Module (Incident Management):

• Documentation of incident related communications.

Practical implication: You need to be able to produce records of key phone interactions during audits.

NDIS Quality and Safeguards Commission guidance

The Commission has not issued specific guidance on call recording, but audits and investigations may request:

• Records of intake conversations
• Evidence of participant agreement to services
• Documentation of complaint handling
• Incident notification communications

Commission perspective: The method of documentation (notes versus recording) matters less than:

• Accuracy
• Accessibility
• Completeness
• Ability to demonstrate participant consent and dignity

Practical Implementation Guide

Consent notification scripts

You need clear, consistent language. Here are templates for different scenarios:

Standard greeting (recommended):

“Thank you for calling [Provider Name]. This call may be recorded for quality assurance, staff training, and compliance purposes. By continuing this call, you are consenting to recording. If you prefer not to be recorded, please let me know now and we can continue without recording.”

Brief version (if call volume requires brevity):

“Thank you for calling [Provider Name]. Please note this call may be recorded for quality and compliance. How can I help you today?”

Mid call transfer:

“I am transferring you to [person or department]. Please note this call is recorded for quality and compliance purposes. One moment please.”

When a caller objects to recording:

“I understand. We will not record this call. I will take detailed notes instead. Let me confirm I have your correct details: [verify information].”

Emergency or crisis situations:

If there is imminent risk to a participant or others, recording may need to pause while you focus on immediate safety. Document the conversation immediately afterward with detailed notes.

When callers refuse recording

You must still provide services. Refusing service because someone will not consent to recording would likely breach NDIS Practice Standards.

Alternative documentation:

1. Take detailed contemporaneous notes.
2. Use structured note templates (who, what, when, agreed outcomes).
3. Send a follow up email confirming the discussion.
4. File notes appropriately in the participant management system.

Staff training: Ensure reception and intake staff know how to handle refusals professionally and document conversations thoroughly without recording.

Retention periods

General guidance: Align call recording retention with your overall record keeping policy.

Common approaches:

• Service agreement related calls: seven years (aligns with contract law)
• General enquiries: 12 to 24 months
• Incident related calls: seven years or as required by the incident
• Complaint calls: seven years (aligns with NDIS Commission expectations)

Privacy Act requirement: Do not retain recordings longer than reasonably necessary for the purpose collected.

Practical tip: Document your retention policy in writing and apply it consistently. Include the policy in your privacy statement.

Storage and security requirements

Minimum security measures:

• Encryption at rest for stored recordings
• Encryption in transit if accessing remotely
• Access controls so only authorised staff can retrieve recordings
• Access logging to record who accessed what and when
• Regular backups
• Secure deletion when the retention period expires

Australian hosting: While not strictly required, hosting call recordings in Australia:

• Reduces cross border data transfer concerns
• Aligns with APP 8 (cross border disclosure)
• Simplifies compliance during audits
• Meets increasing NDIS provider expectations

Access request procedures

When a participant requests access to recordings of their calls:

Step 1 - Verify identity:

• Confirm participant identity before providing access.
• If the request is from a guardian or representative, verify their authority.

Step 2 - Locate recordings:

• Search by participant name, phone number, and date range.
• Check multiple systems if call handling changed over time.

Step 3 - Review before providing:

• Does the recording contain information about other participants?
• Are there third party privacy concerns?
• Is redaction needed?

Step 4 - Provide access:

• Within 30 days (Privacy Act requirement)
• Format: audio file, transcript, or summary (confirm preference)
• Delivery method: secure email, encrypted USB, or secure portal
• Document the access request and your response

Step 5 - If refusing or delaying:

• Valid reasons: would unreasonably impact privacy of others, or it is unlawful to provide
• You must explain the reason in writing
• Tell the participant they can complain to the OAIC

Special consent scenarios

Participants under 18:

• Consent should come from a parent or guardian for recording.
• Document guardian identity and relationship.
• Be aware of young people transitioning to independence.

Participants with guardians or decision makers:

• Verify guardianship or decision making authority.
• Obtain consent from the authorised decision maker.
• Document authority in notes.

Participants with cognitive impairment:

• Assess capacity to consent.
• Involve a support person if appropriate.
• Document the assessment and consent process.
• More detailed notes may be needed instead of relying only on recording.

Emergency situations (imminent risk):

• Immediate safety takes priority.
• Recording can pause if it impedes crisis response.
• Document the conversation immediately after with detailed notes.
• Resume normal recording procedures once the crisis is resolved.

How Systematic Approaches Reduce Risk

Manual versus automated call handling

Manual approach challenges:

• Relies on staff remembering to record
• Inconsistent consent wording
• No guaranteed notification delivery
• Access retrieval requires manual searching
• Audit preparation is time intensive

Systematic approach benefits:

• Consistent consent notification on every call
• Automatic recording (no selective recording risk)
• Structured storage with metadata
• Quick retrieval by date, participant, or topic
• Built in access logs

Where AI reception fits

Automated reception systems can support compliance by:

• Delivering mandatory consent announcements the same way every time
• Recording all calls or none, based on policy, removing selective recording risk
• Capturing automatic metadata (timestamps, caller ID, duration, routing)
• Storing recordings in a structured way for audit retrieval
• Applying role based access controls and access logging

Example workflow:

1. Caller reaches AI reception.
2. The system delivers the consent notification.
3. The call routes to the appropriate staff member.
4. Recording continues during transfer.
5. Metadata is automatically logged.
6. The recording is stored with the participant file reference.
7. An access log is created if a recording is retrieved later.

Important note: Automated systems are tools, not replacements for proper compliance governance. You still need:

• Clear policies
• Staff training
• Regular reviews
• Manual override procedures
• Protection of participant rights

Integration with practice management systems

For call recording to support compliance effectively, it should integrate with:

• Participant management system: link recordings to participant files
• Appointment scheduling: associate calls with bookings or cancellations
• Incident management: tag incident related calls
• Complaint handling: flag complaint conversations

Audit benefit: When the Commission requests evidence about a participant’s service agreement, you can produce the intake call, booking confirmations, and subsequent discussions, all linked to that participant’s record.

Compliance Checklist

Frequently Asked Questions

Is call recording mandatory for NDIS providers?

No. NDIS Practice Standards require documentation of participant agreements and key interactions but do not specify the method. Call recording is one approach. Detailed contemporaneous notes are an alternative. However, call recording provides more accurate records than notes alone, particularly for disputes or audits.

What if a participant refuses to be recorded?

You must still provide services. Refusing service due to a recording objection would likely breach NDIS requirements about participant rights and access. Alternative: take detailed contemporaneous notes using structured templates. Send follow up emails confirming key points. Train staff in thorough note taking.

How long must we keep call recordings?

There is no single requirement. Align retention periods with the purpose of recording: service agreements (seven years is common), general enquiries (12 to 24 months), incidents or complaints (seven years). The Privacy Act requires you do not keep recordings longer than necessary. Document your policy and apply it consistently.

Can participants request copies of call recordings?

Yes, under Privacy Act APP 12. You must respond within 30 days, verify participant identity, provide access (audio file, transcript, or summary), consider privacy of third parties in the recording, and document the request and response.

What if we recorded a call without proper consent?

This may breach state surveillance laws and the Privacy Act. Immediate steps: seek legal advice; assess whether it is a notifiable data breach (see OAIC guidance); consider whether to notify the affected participant; review and fix consent procedures; document the incident and response.

Do we need to tell staff they are being recorded?

Yes. Staff have privacy rights. Include call recording notification in employment contracts, staff privacy notices, workplace policies, and induction and training materials.

Privacy Policy Template

Include language similar to this in your website privacy policy:

---

Call Recording

We may record telephone calls for quality assurance, staff training, complaint handling, incident management, and compliance with NDIS Practice Standards and the Privacy Act 1988.

Callers will be notified at the start of calls that recording may occur. You can request we do not record your call and we will take detailed notes instead.

Call recordings are:

• Stored securely with encryption and access controls
• Accessed only by authorised staff for legitimate purposes
• Retained for [specify period, for example seven years] in line with our record keeping obligations
• Disposed of securely when no longer required

Under the Privacy Act 1988, you can request access to recordings of your calls. We will respond within 30 days. You can also request corrections to information in recordings if it is inaccurate.

For more information about how we handle your personal information, see our full Privacy Policy or contact our Privacy Officer on [contact details].

---

Final Note

NDIS compliance is not about ticking boxes. It is about protecting participants while running a sustainable, defensible operation.

Phone calls represent one of the most significant and most overlooked compliance surfaces in NDIS service delivery. Not because providers do not care, but because traditional administrative approaches were not built for today’s complexity and volume.

Whether you use manual processes, automated systems, or AI reception tools, the principles remain the same:

• Transparent notification
• Participant consent and dignity
• Secure storage
• Accessible records
• Defensible documentation

Done well, systematic call recording strengthens your compliance posture, improves service quality, and makes audits significantly less stressful.

Key takeaway: Do not implement call recording as a checkbox. Implement it as part of a comprehensive compliance approach that respects participant rights, protects your organisation, and improves service delivery.

---

Need help implementing compliant call recording? CallCleo provides NDIS ready AI reception with built in consent notifications, Australian data hosting, and integration with practice management systems. Learn about NDIS compliance features

---

Resources:

• NDIS Practice Standards and Quality Indicators
• Office of the Australian Information Commissioner - Privacy guidance
• Australian Privacy Principles
• State surveillance device legislation (see the table above for links)

Ready to eliminate missed calls and support more participants?

Eliminate missed calls, support more participants, and free your staff from phone admin.

Book a 15-Minute Demo

Related Articles

NDIS Service Agreements: Complete Guide for Allied Health Providers

NDIS service agreement requirements, templates, and best practices for allied health providers. Learn how to create compliant service agreements that protect your practice and participants.

Read more

After-Hours Appointment Booking: Capture 42% More NDIS Revenue

42% of NDIS appointments are booked outside business hours. Learn how AI receptionists capture after-hours bookings and recover $100K+ annually in lost revenue.

Read more

AI Receptionist for Gold Coast Allied Health Practices: A Local Guide

Gold Coast allied health clinics are using AI reception to handle NDIS growth, seasonal call spikes, and after-hours demand without overloading teams.

Read more