The Annual Review: Keeping myID, RAM and NDIS Portal Access Up to Date

When Everything Suddenly Stops Working

Winter, EnableUs Community: Alright, picture this. You did the big transition from PRODA to myID and RAM, everything was working beautifully, claims were going through, staff were happy, and you just stopped thinking about it. Then one random Tuesday, people start calling out, hey, I can’t get into the portal, my logins aren’t working, our software’s not sending claims. It feels like everything has just fallen over at once.

Will, EnableUs Community: Yeah, and the first reaction is usually, the NDIS portal must be down, right? Or the software’s broken, or PRODA’s playing up again, even though it’s not really PRODA anymore. But what’s actually going on behind the scenes is usually way more boring and way more predictable.

Winter, EnableUs Community: Exactly. What’s happened in the background is that all the invisible plumbing that sits between you and the portal has quietly hit its expiry dates. RAM authorisations hitting that 12 month mark, B2B device credentials hitting their 6 month expiry, contact details that don’t work anymore. And because it all runs silently, it feels like it broke overnight.

Will, EnableUs Community: So let’s break down those moving parts, because they’re not all the same. First one is myID. That’s your personal digital identity now, not the organisation. It travels with you as a person, and it can be used across other government services too. It doesn’t just hard expire every year like a driver’s licence sticker or something.

Winter, EnableUs Community: Yeah, myID is really about you as a human being. You might need to tweak it if your name changes, or your details get updated, or you need to refresh security, but it’s not sitting there on a 12 month countdown that’s going to suddenly cut you off from everything.

Will, EnableUs Community: Then we’ve got RAM, Relationship Authorisation Manager, which is where the fun starts. When a principal authority links the business in RAM and then authorises staff, those authorisations are created with an expiry date baked in. Most of the time, that’s around 12 months out unless you’ve set something different.

Winter, EnableUs Community: And this is the bit that catches people. You do this big onboarding round, add all your staff in RAM, you give them access to the NDIS services, you feel like, cool, that’s sorted, tick. And then a year later, to the day, those authorisations quietly fall off a cliff unless someone has gone in and extended them.

Will, EnableUs Community: Not to mention the NDIS B2B devices. These are the credentials that your client management software uses to talk directly to the NDIS systems. They’re on an even tighter leash: we’re talking roughly six month cycles. When that B2B device expires, the software integration just stops, even though you personally can still log into the portal just fine using myID and RAM.

Winter, EnableUs Community: So that’s a really confusing scenario for providers. The practice manager can log in, they think, well my access is fine, the portal must be okay. But then their software is throwing errors, or batch claims fail, and it’s actually because that B2B device authorisation has quietly expired while everything else kept ticking along.

Will, EnableUs Community: And there’s a fourth layer that people underestimate, which is just contact information. The email in your myID account, the organisational email and phone numbers in RAM, and the contacts in your NDIS provider portal profile. All of that needs to be alive and monitored, or the warning messages never reach you.

Winter, EnableUs Community: I’ve seen this a lot where myID was accidentally set up with someone’s old work email. Then they leave that job, lose access to that inbox, and a year later they’re trying to recover or update things and the codes are going to an email no one can open. Or in RAM, the contact is something like admin@oldbusinessname.com.au that no one checks anymore.

Will, EnableUs Community: So if we zoom out, the mindset shift here is huge. Digital identity and authorisations are not set and forget. They’re more like insurance renewals or your annual audit. If you don’t have a rhythm to check and renew them, you end up discovering problems the moment you’re trying to submit claims on a deadline, which is the worst possible time.

Winter, EnableUs Community: Yeah, and the big win we want for you from this episode is to go from that panic mode, where you only find out something’s expired when staff can’t log in, to a place where you’ve actually got an annual review baked into your operations. It’s just one of those things you do every year, like clockwork, and it saves you from a lot of drama.

Will, EnableUs Community: So in the next part, we’re going to talk about how to build that rhythm. When in your year you should do it, who should own it, and how to use simple tools like calendar reminders and a spreadsheet to keep all this under control, without needing to be super techy.

Building Your Annual Review Rhythm

Winter, EnableUs Community: Alright, let’s talk about building your annual review rhythm, because this is where you stop relying on memory and start relying on systems. And I don’t mean fancy systems, I literally mean your calendar and a basic register of who has access to what.

Will, EnableUs Community: Yeah, and first decision is, when in the year do you do this? A lot of providers we work with like to anchor it to their financial year. So they’ll say, alright, every June or every July, when things are a tiny bit quieter, that’s when we do our digital access review. Others pick a month like January because they reset everything after the holiday break.

Winter, EnableUs Community: The key is consistency. Pick a month where your operational tempo isn’t absolutely nuts, and just declare, this is our annual myID, RAM and portal access review window. And then, importantly, pick a role who owns it. Is it the principal authority, the practice manager, the finance lead, whoever is organised and close to portal usage?

Will, EnableUs Community: I’d actually recommend you make it explicit in someone’s job description or your internal procedures. Like, this person is accountable for checking RAM authorisations, B2B devices, and contact details once a year. Because if it belongs to everyone, it usually belongs to no one, and that’s when things fall through the cracks.

Winter, EnableUs Community: Now, once you’ve picked the month and the owner, jump into your calendar system and set up recurring reminders. So for example, a yearly reminder on the 1st of July that literally says, review and renew all RAM authorisations, B2B devices, and contact details. Make the wording really clear. Don’t just write, check portal, because no one knows what that means in a year’s time.

Will, EnableUs Community: Yeah, vague reminders are useless. You want the reminder to be an instruction. Something like, log in to RAM, check staff list, revoke leavers, extend active authorisations, update spreadsheet. Or, check B2B device expiry dates in software and extend before expiry. That way, whoever sees it knows exactly what steps to take.

Winter, EnableUs Community: For RAM in particular, it’s really helpful to set secondary reminders about 30 days before you know a big batch will expire. So, say you set up all your staff on 15 July 2025, you could drop a calendar reminder in for 15 June 2026 that says, RAM access for all staff expires 15 July, review and extend now.

Will, EnableUs Community: And with B2B devices on that roughly six month cycle, a lot of people find it easiest to put quarterly reminders in. So every three months, your calendar nudges you to log in to your client management software or NDIS integration settings and just check those device expiry dates. If you catch it early, extending is simple. If you leave it until after it lapses, it becomes a troubleshooting headache.

Winter, EnableUs Community: The other piece of the rhythm is your access register. And I know a few people are going to roll their eyes at the word spreadsheet, but honestly, it can be super simple. One tab with columns like staff name, role, has RAM authorisation yes or no, expiry date, last reviewed date, and notes.

Will, EnableUs Community: Exactly. You might also want a section for your B2B devices, listing the software name, device ID or nickname, when it was created, when it expires, and who’s responsible for renewing it. It doesn’t have to be pretty, it just has to be accurate. And every year when you do your review, you update that register.

Winter, EnableUs Community: And there’s a hidden bonus here. That register is absolute gold if you ever get questioned by auditors about your information security. You can literally show them, here are our staff with portal access, here are their current expiry dates, here’s when we last reviewed their access, and here’s when we revoked leavers. It proves you’re governing access, not just letting it sprawl.

Will, EnableUs Community: I think that’s the difference between reactive and proactive. Reactive is, we only touch RAM when someone can’t log in or a claim fails. Proactive is, we have a yearly rhythm, it’s in the calendar, we have a list, and each year we just do the same review. It might be a couple of hours once a year, but it can save you multiple stressful crises that each take just as long.

Winter, EnableUs Community: And remember, you can totally adjust this rhythm to your size. If you’re a tiny provider with two staff, your review might be really quick. If you’ve got a hundred workers, it’s a bit more of a project. But the principles are the same: pick the time, pick the owner, set the reminders, and maintain that access register.

Will, EnableUs Community: Alright, so now that we’ve got the rhythm sorted, in the final part we’re going to walk through a practical step by step. What do you actually click on when you’re in RAM, what are you checking for with staff and devices, and how do you run a quick contact details health check so all the important alerts actually reach you.

Step-by-Step Review: RAM, Devices, and Contact Details

Winter, EnableUs Community: Okay, let’s get into the step by step, because this is where you can almost follow along and tick things off. We’ll start with RAM authorisations, then look at B2B devices, and finish with contact details across myID, RAM and the NDIS portal.

Will, EnableUs Community: So, step one, RAM. You’re going to go to authorisationmanager.gov.au and log in using your myID credentials. Once you’re in, you’ll navigate to your linked business, and then look for something like Manage authorisations or the section that shows who is currently authorised to act on behalf of your organisation.

Winter, EnableUs Community: When that list loads, don’t rush past it. This is where you slow down and go through each person one by one. You’re checking a few things. First, does this person still work for us? If they’ve left, don’t wait for the natural expiry date in six months time, revoke their authorisation now.

Will, EnableUs Community: Yeah, that’s a big one. If ex-staff still show as authorised in RAM, they technically still have the ability to act on behalf of your business in those government services. Revoking them promptly is both good security and good governance. So mark them in your access register as revoked and update the date.

Winter, EnableUs Community: Second, look at what services and permissions each current staff member has. Does it match their actual role today? Maybe someone moved from admin into a clinical lead position or vice versa. They might not need the same portal access they had when you first set them up. This is your chance to tidy that up.

Will, EnableUs Community: And third, check the expiry dates. RAM will show you when each authorisation is due to end. For the people who are staying, you want to extend those well before they hit expiry. Click into the authorisation, look for Extend or similar, and push the expiry date up to 12 months forward, or whatever is appropriate.

Winter, EnableUs Community: Don’t be that person doing this the night before, by the way. Give yourself a safety margin. If you know everything’s expiring mid July, aim to do your review and extensions mid June, not 11:59pm the day before. And every time you extend an authorisation, pop the new expiry date into your access register.

Will, EnableUs Community: Alright, step two is your B2B devices. This is going to look a bit different depending on what client management software you use, but the core idea is the same: somewhere in your system or in your NDIS integration settings, there’ll be a list of the registered devices or keys that let your software talk to the NDIS systems.

Winter, EnableUs Community: You want to find that list and look for expiry information. Typically, these NDIS B2B devices are set on a six month expiry cycle for security reasons. So you’re looking for anything that’s close to expiring, or worse, already expired and just quietly causing integration failures in the background.

Will, EnableUs Community: If you see something that’s about to expire, follow your software’s process to extend or renew that device. Each system will have slightly different buttons or wording, but the principle is, you’re refreshing that trust so the portal continues to accept connections from your software. And again, record those dates in your register.

Winter, EnableUs Community: The really nice thing about catching this ahead of time is that instead of your team experiencing mysterious errors on claim day and spending hours troubleshooting whether it’s the portal or the software, you’ve already renewed the device and the whole thing is invisible to staff. No drama, no frantic calls.

Will, EnableUs Community: Then we come to step three, which is contact details. And this bit is easy to skip because nothing looks obviously broken… until something important fails to reach you. So we’re going to deliberately check myID, RAM, and your NDIS provider portal profile.

Winter, EnableUs Community: Start with myID. Check the email address linked to your personal digital identity. Ideally, this should be a personal email that you actually control and will keep long term, not a work email that you’ll lose if you change jobs. If it’s currently pointing to an old or risky address, update it now while you remember.

Will, EnableUs Community: Then, jump back into RAM and look at the organisational contact details. What email addresses are listed there for your business? Are they generic mailboxes that are actually monitored, like admin@yourorg.com.au that someone checks daily? Or are they old addresses that no one logs into anymore?

Winter, EnableUs Community: Same with phone numbers. A lot of these systems use SMS for two factor authentication. If the registered mobile number belongs to a staff member who left, or to a phone that’s never turned on, you’re going to hit barriers when you try to log in. So confirm that the number is correct and that the phone is accessible to the right person.

Will, EnableUs Community: If you want to be really thorough, you can even do a tiny test. Start a login, trigger an SMS code, and just make sure it lands where it’s meant to. Or send a test email to the admin inbox and confirm someone actually sees it. It sounds small, but if you ever need to recover access quickly, you’ll be glad you checked.

Winter, EnableUs Community: Finally, look at your secondary contacts and backup people listed in your portal profiles. Do they still work for you? Are they still the right escalation contacts if something goes wrong? If not, update those names and details so that when the NDIS or a system sends out an urgent alert, it actually reaches someone responsible.

Will, EnableUs Community: When you put all of that together, what you’ve created is a small annual ritual that prevents a lot of predictable problems. Instead of finding out about expired authorisations when staff are locked out on deadline day, you’re catching them early in a calm review window.

Winter, EnableUs Community: Yeah, the payoff is huge compared to the time it takes. A few hours once a year to review RAM, B2B devices, and contacts can save you multiple crisis moments, piles of support tickets, and a lot of stress for your team. And it also shows auditors that you’re serious about access and information security.

Will, EnableUs Community: So if you’re listening and thinking, okay, where do I start, I’d say this. Pick your review month, book a two hour block in your calendar called Annual myID, RAM and portal access review, and jot down a simple checklist based on what we’ve talked through today. Then actually do it once, and refine from there.

Winter, EnableUs Community: And if you’re already mid crisis while you’re listening to this, that’s alright. Use this as a guide to clean things up now, and then lock in your annual rhythm so you don’t end up back in the same spot in twelve months. Future you will be very grateful.

Will, EnableUs Community: Alright, we’ll wrap it up there. Thanks for hanging out with us on Navigating PRODA while we nerd out on annual reviews and access governance. It’s not the flashiest topic, but it really does make everything else run smoother.

Winter, EnableUs Community: Thanks for listening, and hopefully this gives you a really practical way to stay ahead of those myID, RAM and NDIS portal surprises. I’m Winter.

Will, EnableUs Community: And I’m Will. We’ll catch you in the next episode.