AI for NDIS Progress Notes: How to Stay Compliant in 2026

The single most common question I get from NDIS providers about AI is this one: can we use it for progress notes?

Yes. With the right tool, the right process, and a genuine review at the end. The time savings are real — and for support workers carrying heavy documentation loads, this is one of the most practical applications of AI available right now.

The problem is that most of the guidance circulating in the sector stops there. It says "use AI, save time" and skips the part that matters: your participants have serious legal protections over their personal information, those protections follow their data overseas, and most of the AI tools your staff are using right now do not meet the standard those protections require.

This post covers both. How to use AI for progress notes in a way that is genuinely useful. And what Australian law actually requires before you do it.

What a compliant NDIS progress note must contain

Before talking about AI, it is worth being clear about what a compliant note actually looks like. Because AI can only help you produce one if you know what you are aiming for.

The NDIS Practice Standards require registered providers to maintain participant records that are current, accurate, and accessible. For Capacity Building supports, a case note is a compliance requirement — not just good practice. The note must be attributable to the individual participant, not to the group.

A compliant progress note contains: date, time, location, and duration of the support; the name of the support worker who delivered it; the specific support provided; the participant's observed response, engagement, and mood; a clear connection to the participant's NDIS plan goals; any incidents, concerns, or changes in condition; and objective language throughout.

The difference between compliant and non-compliant is specific. "Participant attended the session and engaged well" is a documentation failure. "Participant read aloud for 20 minutes with minimal prompting, remained focused throughout, and initiated conversation about the topic independently — consistent with goal of improving communication skills" is a record.

The first version records that something happened. The second records what happened, how the participant engaged, and why it matters to their plan. AI is good at producing the second version from raw observations. It requires a human to verify that what it produced is accurate.

What Australian law says about participant data and AI

This section matters. Read it before you deploy anything.

The Privacy Act and why it applies to your organisation

NDIS participant data is classified as health information under the Privacy Act 1988 (Cth). Health information is a category of sensitive information — it attracts higher obligations than ordinary personal data.

The Privacy Act's small business exemption excludes businesses with annual turnover below $3 million. That exemption does not apply to businesses providing health services. NDIS providers handling participant health information are covered by the Act regardless of size.

APP 8 — the overseas disclosure rule

APP 8 is the principle that directly governs what happens when participant data is sent to an AI tool hosted overseas.

The rule: before disclosing personal information to an overseas recipient, an APP entity must take reasonable steps to ensure the overseas recipient does not breach the Australian Privacy Principles.

The accountability rule: if the overseas recipient mishandles the data in a way that would breach the APPs, the Australian entity is treated as having committed that breach itself.

In plain terms: if your support worker puts a participant's name and shift observations into consumer ChatGPT — hosted in the United States — and OpenAI misuses, retains, or exposes that data, your organisation is treated as if it committed the breach. Not OpenAI. You.

The exceptions to APP 8 are narrow. Getting explicit informed consent from every participant before every AI-assisted note is not operationally realistic, and using it as a compliance mechanism for a disability support context raises significant safeguarding concerns.

What the OAIC said about this in October 2024

The Office of the Australian Information Commissioner published guidance on privacy and commercially available AI products in October 2024. It was written precisely for this situation.

The OAIC's explicit recommendation: organisations should not enter personal information, and particularly sensitive information, into publicly available generative AI tools.

Before any AI tool is used with personal data, the OAIC requires that the organisation: conducts due diligence on the AI product's data practices; completes a Privacy Impact Assessment; tests the tool for bias and inaccuracy before use with real participant data; embeds human oversight mechanisms; updates privacy notices to disclose AI use to participants; and applies technical controls including access restrictions, encryption, and audit logging.

This is not aspirational guidance. It is the framework the OAIC will apply when assessing whether a provider has met its obligations.

The NDIS Commission has not issued specific AI guidance yet

The NDIS Commission's current position: it does not use AI internally or externally, and will update its AI transparency statement when this changes.

As of April 2026, the Commission has not published specific operational guidance for registered providers on AI use in service delivery. The applicable framework is the existing Practice Standards combined with the Privacy Act and the OAIC guidance above.

The Commission has published a position statement on AI in behaviour support plans (February 2026): AI may assist in drafting, but clinical responsibility remains with the qualified practitioner. That principle extends directly to progress notes. AI assists. The support worker certifies.

Where the major AI tools actually process your data

This is where the specifics matter and where most sector guidance is either wrong or silent.

Consumer ChatGPT — free and Plus tiers

Data is processed on OpenAI servers in the United States. By default, free tier conversations are used to train OpenAI's models. Staff must manually opt out via Settings > Data Controls. No data processing agreement is available at these tiers. No data residency option exists.

A support worker using a personal ChatGPT account to draft a participant's progress note is disclosing health information to an offshore AI system with no contractual protection, and potentially contributing that information to model training. This is a direct breach of APP 8 and the OAIC's explicit guidance.

This is happening in disability services organisations across Australia right now.

ChatGPT Enterprise and the OpenAI API

OpenAI has expanded data residency options to include Australia. Enterprise or API customers with approved data controls can store data at rest in Australia.

The critical distinction: storage residency and inference residency are different things. OpenAI's own documentation states that inference residency guarantees GPU execution in the selected region "for supported workloads, but other processing — authentication, routing, indexing, logging — may still occur outside the region."

Enterprise and API arrangements are meaningfully better than consumer ChatGPT. They still require careful configuration, a data processing agreement, and a Privacy Impact Assessment before use with participant data.

Microsoft 365 Copilot

In November 2025, Microsoft announced that Australian organisations can enable in-country processing for Microsoft 365 Copilot. With this setting configured by an IT administrator, Copilot interactions are processed in Australian data centres. Content and the related semantic index are stored at rest in Australian infrastructure.

This is the strongest data residency arrangement currently available among major commercial AI tools for Australian providers. A data processing agreement is included in Microsoft's enterprise terms. Not-for-profits can access Microsoft 365 licensing with a 15% discount through nonprofit programs.

Two requirements: the organisation must be on a Microsoft 365 business plan, and in-country processing must be explicitly configured. It is not automatic.

Google Gemini and Google Workspace AI

As of current documentation, Australian data residency is not available for Gemini AI processing within Google Workspace. Available residency regions for Gemini features are US and EU only. Verify this directly with Google before making any decisions — this is a rapidly changing area.

Australian-hosted tools built for this context

Several tools built specifically for the Australian disability and healthcare context are worth knowing about.

AusGPT uses OpenAI models hosted privately on Microsoft Azure in Australian regions (Sydney and Melbourne). All data is stored and processed within Australia with no external model training. It includes NDIS-specific features: drafting progress notes and incident reports from observations, converting voice memos to structured notes, creating service agreements.

LAIT is an Australian-built private AI platform for NDIS providers, hosted in AWS Sydney. Contracts prohibit use of customer data for model training.

Heidi Health is an Australian-founded AI clinical scribe gaining use in allied health settings. Verify data residency specifics directly before use in an NDIS context.

Microsoft Copilot with in-country processing configured, or an Australian-hosted purpose-built tool, is the cleaner compliance path than trying to make consumer ChatGPT work within the APP framework.

What a compliant AI-assisted progress note workflow looks like

Having the right tool is necessary but not sufficient. The workflow has to be right too.

Step 1. The support worker delivers the shift and keeps brief contemporaneous notes — a voice memo, short bullet points, anything that captures what actually happened before memory fades.

Step 2. At the end of the shift, the worker inputs their own observations into the AI tool. Not the participant's file. Not previous notes. Their own description of what occurred during this shift. The prompt: "Help me structure this into an NDIS-compliant progress note. Here is what happened: [observations]."

Step 3. The AI produces a structured draft aligned to progress note format.

Step 4. The worker reads every sentence of the draft. They are looking for: factual errors (AI frequently invents details), language that overstates what was observed, goal alignment that does not match the participant's actual plan, any mention of other participants who may have been nearby, and clinical-sounding language that misrepresents the worker's observations. This is not a quick scan. It is a read.

Step 5. The worker submits the note under their own name. They are certifying its accuracy. AI-assisted drafting is not a defence for an inaccurate record.

Step 6. Supervisor spot-check. A sample of AI-assisted notes reviewed monthly for quality, compliance, and patterns of AI error specific to your tools and your team.

What the review must catch

AHPRA published guidance in August 2024 for health practitioners using AI for clinical documentation. NDIS support workers are not AHPRA-registered practitioners, but the framework is the closest formal guidance Australia has issued for AI-assisted care documentation.

AHPRA's position: the practitioner is fully accountable for all clinical documentation. AI authorship is not a defence. Every output must be verified by the person who delivered the care before it enters the record.

Specific things to catch in the review: hallucinated details (AI will occasionally add information not in the original prompt — remove any detail not in the worker's own description); group documentation (AI may reference how the group responded — every note must be specific to the individual); over-interpretation (phrases like "appeared anxious" represent clinical judgment — replace with what was directly observed); goal misalignment (AI does not know the participant's plan — the worker must confirm correct goals); incorrect support type (the note must match the support item being claimed).

What happens when it goes wrong

The NDIS Commission issued over $4 million in civil penalties in 2023-24 — a six-fold increase on the prior year. It received 111,345 complaints and reportable incidents — a 78% increase. Documentation failures appear in audit findings, in complaint investigations, and in the evidence trail that leads to formal enforcement.

Adding AI to a poorly managed documentation process does not reduce that risk. It accelerates it. The volume of notes increases and the likelihood of each note being carefully reviewed decreases.

Under the Privacy Act, serious or repeated interference with privacy carries penalties of up to the greater of $50 million, three times the benefit obtained, or 30% of annual domestic turnover. In 2024, Australian Clinical Labs was ordered to pay $5.8 million — the first civil penalty ever imposed under the Privacy Act — following a data breach affecting 223,000 people.

The Privacy Act penalties for a small NDIS provider would not reach that scale for a first breach. The reputational and Commission-reporting consequences of a privacy incident involving participant health data are separate from the penalty question — and for a small provider, potentially more consequential than any fine.

Frequently asked questions

Can NDIS support workers legally use AI to write progress notes?

Yes, with appropriate controls. The NDIS Practice Standards do not prohibit AI assistance for documentation. The Privacy Act 1988 requires that participant health information is not disclosed to offshore AI tools without a data processing agreement and appropriate safeguards. Consumer ChatGPT is not appropriate. Australian-hosted tools or enterprise arrangements with data residency configured are the compliant path.

What happens if a support worker uses ChatGPT for a participant's progress note?

The worker is disclosing participant health information to an offshore AI system without a data processing agreement or data residency controls. Under APP 8, if OpenAI mishandles that data, the NDIS provider is treated as if it committed the breach. The OAIC explicitly recommends against entering sensitive information into publicly available AI tools.

Does the NDIS Commission allow AI-assisted progress notes?

The Commission has not published specific guidance on AI in progress notes as of April 2026. The position on behaviour support plans (February 2026) — AI assists, the practitioner certifies — is the framework to apply. The support worker who delivered the support is responsible for the accuracy of the record regardless of how the draft was produced.

Which AI tool is safest for NDIS providers to use with participant data?

Microsoft 365 Copilot with in-country processing enabled is the strongest current option among major commercial tools — data is stored and processed in Australian data centres. Australian-purpose-built tools including AusGPT and LAIT are also appropriate. Consumer ChatGPT, free or Plus tier, is not appropriate for participant data.

What does a compliant AI progress note workflow look like?

Worker delivers support and records brief observations. Worker inputs their own observations into an approved AI tool. AI produces a structured draft. Worker reads every sentence, corrects errors and inaccuracies, verifies goal alignment, and removes any information not in their original observations. Worker submits the note under their own name. Supervisor spot-checks a sample monthly.

What is the biggest risk of using AI for NDIS progress notes?

Two risks. First, data: staff using personal ChatGPT accounts with participant information, which is a direct privacy breach. Second, accuracy: workers submitting AI-generated notes without genuine review, creating false records. Both are happening across the sector right now.

The honest position

AI is a genuine time-saver for progress notes. The time savings are real only if the tool is appropriate, the data is protected, and the review is genuine.

A workflow where workers paste participant information into consumer ChatGPT and submit whatever comes out does not save time at a system level — it defers the risk of an inaccurate record or a privacy breach to a point when the consequences are more serious.

The organisations getting this right selected an appropriate tool, trained their workers on both the tool and the review process, and embedded supervision to catch the cases where AI got it wrong.

That is not complicated. It is just not the path of least resistance.

At AMS, we have worked through this ourselves. If you want to understand what a compliant approach looks like in practice for a direct support provider — the tools we use, the policy we built, the review process we follow — get in touch.