What "Secure Storage" Really Means Under the NDIS

Why Secure Storage Matters

Will, EnableUs Community: Alright, welcome back to the EnableUs Community podcast—where we dig into the software and systems that keep NDIS providers running smoothly. I’m Will, and as always, I’m joined by Winter. Today, we’re getting into a topic that, honestly, should keep every provider up at night: secure storage. And I don’t mean just ticking a box for compliance—this is about protecting real people’s information, right?

Winter, EnableUs Community: Absolutely, Will. I think sometimes people hear “secure storage” and just picture a locked filing cabinet or a password on a laptop. But under the NDIS Practice Standards, it’s so much more than that. It’s a legal and ethical responsibility. If you’re holding participant records—service agreements, support logs, medical reports, all that—you’re holding someone’s trust. And if you slip up, it’s not just an IT problem. It’s a compliance issue, and it can mean fines, losing your registration, or worse, damaging your reputation.

Will, EnableUs Community: Yeah, and it’s not just about the big stuff like medical reports. Even things like incident logs, consent forms, or just a participant’s address—if that gets out, it’s a breach. I remember chatting with a provider who was still using this old desktop system—like, really old. They nearly had a disaster when the computer crashed, and they realised they had no backups, no access logs, nothing. If that machine had been stolen, they’d have no way to prove the records were safe. It was a real wake-up call for them.

Winter, EnableUs Community: That’s such a common story. And it’s not just about hackers or cyber threats. Sometimes it’s just human error—someone emailing a file to the wrong person, or leaving a folder unlocked. The NDIS Commission expects you to keep all those sensitive documents—service agreements, shift notes, health reports, even emails about care—secure and traceable. If you’re still emailing attachments or saving things in unsecured Word files, it’s time to rethink your process.

Will, EnableUs Community: Exactly. And, like we talked about in our episode on record-keeping, every document is a piece of someone’s life. It’s not just about compliance—it’s about respect and safety. So, let’s get into what secure storage actually looks like, and how you can make it work without overcomplicating things.

Best Practices and Tools for Compliance

Winter, EnableUs Community: So, when we talk about best practices, it’s not just about having a password on your computer. You need a system that covers all the bases: password-protected access, cloud-based backups, access logs, encryption, permission controls, and a disaster recovery plan. That sounds like a lot, but the right software can make it pretty straightforward.

Will, EnableUs Community: Yeah, and there are some great options out there. For NDIS-specific platforms, you’ve got Brevity, Careview, MYP, and Lumary. These are built for compliance—they give you secure client file storage, role-based access, audit logs, and end-to-end encryption. So, you can see exactly who accessed what, and when. That’s huge for accountability.

Winter, EnableUs Community: And if you’re looking for something a bit broader, tools like Google Workspace or Microsoft 365—on the business tier, not the free version—can work really well. They let you set up shared drives, manage access permissions, and add two-factor authentication. But you’ve got to configure them properly. I actually worked with a provider who switched to role-based permissions using one of these platforms, and the difference was night and day. Staff felt way more confident, because they knew only the right people could see sensitive files. It wasn’t just about compliance—it actually made their day-to-day work easier.

Will, EnableUs Community: That’s a good point. And don’t forget about backups. Cloud-based backups with automated scheduling are a must. If your laptop gets stolen or your office floods, you need to know you can recover everything. And access logs—those are your best friend if you ever get audited. You can show exactly who did what, and when.

Winter, EnableUs Community: And it’s not just about the software. You need to train your team, too. Even the best system won’t help if people are still emailing sensitive info or leaving things open on their screens. So, it’s about building habits—logging out, using secure channels, and knowing what not to do. Which, actually, brings us to some of the most common mistakes we see…

Common Pitfalls and How to Avoid Them

Will, EnableUs Community: Yeah, let’s talk about what not to do—because honestly, this is where a lot of providers get tripped up. Using personal email accounts for work stuff, saving files to unencrypted USBs, or even just taking screenshots of participant info and storing them on your phone. Or using free cloud accounts that don’t have proper security settings. All of that is a big no-no under the NDIS standards.

Winter, EnableUs Community: I’ve seen it happen—someone uses their personal laptop or phone for work, thinking it’s just a quick fix, and suddenly there’s a compliance breach. There was a real case where a provider let staff use their own devices for storing participant files. One device got lost, and because there was no encryption or access control, it turned into a full-blown compliance violation. They ended up with a hefty fine and a lot of stress for everyone involved.

Will, EnableUs Community: Yeah, and the thing is, staying compliant doesn’t have to be complicated. There’s a simple step-by-step: centralise your storage—get everything into one secure system. Set role-based access, so only the right people see the right files. Make sure you’re backing up regularly, and test your recovery process. And, like you said, train your team. It’s not just about where you store data, but how you handle it day-to-day.

Winter, EnableUs Community: Exactly. And if you’re not sure where to start, just focus on those basics: centralise, control access, back up, and train. It’s about building trust with your participants and making sure you’re future-proofing your business. We’ve seen in past episodes—like when we talked about documentation and record-keeping—these habits make everything else easier, too.

Will, EnableUs Community: Alright, that’s a wrap for today. If you’re an NDIS provider, now’s the time to review your storage setup and make sure you’re not leaving any gaps. We’ll be back soon with more tips and real-world stories to help you stay compliant and confident. Winter, thanks for the chat as always.

Winter, EnableUs Community: Thanks, Will. And thanks to everyone listening—don’t forget to check out our previous episodes if you missed them. See you next time!