Why compliance matters more than most providers realise
NDIS Commission enforcement has quietly ramped up since 2024. Advertising-related breaches — misleading service claims, unsubstantiated testimonials, implied endorsements, improper use of the Registered Provider mark — now trigger formal Commission action more often than they did three years ago. A compliance misstep on your website can produce a formal notice, reputational damage with support coordinators, and in extreme cases registration consequences.
The good news: compliance isn't complicated once you've worked through a systematic checklist. Most issues are simple to fix. The problem is most providers never audit against a proper list — they just assume their website is fine because no one has complained yet.
Here's the 25-point checklist we use for every NDIS website audit.
NDIS Commission compliance (10 points)
1. Accurate service descriptions
Every service listed on your website should match your NDIS Commission registration groups exactly. Listing services you're not registered to deliver (for registered providers) or overstating service scope is a Commission compliance breach.
2. No misleading outcome claims
Avoid specific outcome promises you can't substantiate for every participant. "Helping participants achieve their goals" is fine; "Guaranteed to improve your NDIS outcomes" is not. Measured, honest language reads better to sophisticated audiences anyway.
3. Proper Registered Provider mark usage
Only registered providers can display the Registered Provider mark. It must use the approved version from the NDIS Commission provider portal, in approved colours, with correct spacing. Don't use old versions, recoloured versions, or modified versions.
4. No testimonials that can't be substantiated
Every testimonial on your website must be verifiable — actual participant or family member, actual service experience, with written consent on file. No invented quotes, no composites, no agency-written "testimonials" attributed to participants.
5. Testimonial consent documentation
Written consent on file for every displayed testimonial, including: who consented, what they consented to, how long the consent applies, and that they can withdraw it. Retain these records for at least the duration of display plus two years.
6. No implied endorsements
Don't imply endorsement by the NDIA, NDIS Commission, or government bodies that hasn't been formally given. References to NDIS funding, plan types, or Commission registration must be factual, not promotional.
7. Plain-English accessibility
Core service information must be understandable to participants with cognitive disabilities or limited English. Grade 8 reading level as a baseline, with Easy Read or alternative formats available for key information where relevant to your participant population.
8. Complaints process visibility
A clear complaints process should be easy to find on your website — how to complain, how complaints are handled, and that complaints can also be made directly to the NDIS Commission. Link to the Commission's complaints page is best practice.
9. Code of Conduct alignment
Website content should reflect and not contradict the NDIS Code of Conduct. Claims of participant choice, individualised service, and respectful treatment should align with your actual service delivery practices.
10. Worker screening status (for relevant providers)
Where relevant, indicate that workers are NDIS Worker Screening checked. Don't claim screening status you can't evidence.
ACCC and Australian Consumer Law (5 points)
11. No false or misleading claims
ACL prohibits misleading claims broadly — scope of services, pricing, wait times, staff qualifications. "First in Australia", "best in Brisbane", "number one provider" all require evidence. Avoid unless you can substantiate.
12. Pricing transparency
Where service pricing appears, it should be accurate, current, and clearly indicate NDIS rates vs. private pay where applicable. Hidden fees or additional costs disclosed only after booking creates compliance exposure.
13. Clear terms and conditions
Website should link to clear terms of service, including service scope, cancellation policies, and how disputes are handled. These should be written in plain English, not impenetrable legalese.
14. Privacy policy completeness
A proper privacy policy covering: what data you collect, how it's used, who it's shared with, how it's stored and protected, participant rights regarding their data, and how to access or correct held data. Must comply with Australian Privacy Principles.
15. Cookie and tracking disclosure
If you use Google Analytics, Facebook Pixel, or other tracking, this should be disclosed in your privacy policy. Consider cookie banner for GDPR compliance if you attract EU visitors (some NDIS providers do).
Accessibility compliance (5 points)
16. WCAG 2.1 AA baseline
WCAG 2.1 AA is the practical minimum for NDIS websites. Beyond compliance obligations, it's what participants and families with disabilities actually need to use your site. Test against WAVE or axe DevTools quarterly.
17. Proper heading structure
Single H1 per page, logical H2/H3 hierarchy, no skipped levels. Screen readers navigate by headings — broken hierarchies make your site unnavigable.
18. Keyboard navigation
Every interactive element (links, buttons, form fields, menus) should be reachable and operable via keyboard alone. Test by unplugging your mouse and trying to use your own site.
19. Alt text on images
Descriptive alt text on every meaningful image. Decorative images can have empty alt attributes. Never auto-generate alt text from filenames.
20. Form accessibility
Every form field labelled properly. Error messages clear and associated with fields. Required fields marked and explained. Form submissions accessible via keyboard.
Legal and technical (5 points)
21. ABN display
Australian Business Number displayed on your website — usually in the footer. Required for credibility; expected by participants checking legitimacy.
22. Contact information completeness
Full business name, physical address (or service area if you don't operate from a public premises), phone number, email address, and postal address where different. Easy to find, not buried.
23. SSL certificate
HTTPS on every page, not just the homepage. Mixed content (insecure resources on secure pages) triggers browser warnings and erodes trust.
24. Secure form handling
Contact forms, enquiry forms, and anything collecting participant information must submit via secure protocols. No unencrypted email submissions carrying personal data.
25. Regular compliance audit
This checklist isn't one-and-done. Audit quarterly, because regulations evolve and websites drift out of compliance as content is added. Diarise it.
What to do after running the audit
Most NDIS providers find 4–8 failing items on first audit. Don't panic — almost all are fixable in a few hours of focused work. Prioritise NDIS Commission items first (highest regulatory risk), then ACCC items, then accessibility. Document each fix for your records in case of future compliance queries.
If you find more than 10 failing items, consider a full website compliance review with a specialist. The cost of professional review is substantially less than the cost of a formal Commission notice.