Privacy Act obligations for participant data are strict. Most Perth NDIS providers have Microsoft 365 gaps that create real compliance and privacy exposure. Participant personal information, health data and support plans are sensitive data — and breach notification obligations under the Privacy Act apply regardless of organisation size.
Privacy obligations not met in Microsoft 365. Staff using personal email for client comms.
Get Free Cyber Risk Snapshot →Flat-rate monthly agreements. No lock-in. No surprise invoices.
Book a free Cyber Risk Snapshot and get a plain-English report on your current cyber exposure — specific to your Perth business.
Get Free Cyber Risk Snapshot →If you run an NDIS business in Perth with 5 to 50 staff, you hold one of the most sensitive data sets in the state: participant names, addresses, NDIS numbers, plan budgets, Medicare and health details, support worker rosters that reveal exactly who is alone with whom and when. That mix of identity data, payment data and care data is precisely what attackers want, and most Perth NDIS providers scaled fast on staff and participants without anyone stopping to lock down the systems holding it all.
The operational reality makes it worse. Support workers use their own phones in the field across Joondalup, Armadale, Rockingham and out to Mandurah. Rosters and progress notes get shared over Teams, SharePoint and personal email. Staff turnover is high, so the same logins and shared mailboxes get passed around. Every one of those habits is a door, and on most of the providers we look at, those doors are wide open.
The most common incident we see is not dramatic. A support coordinator gets an email that looks like it is from a participant's plan manager asking to update bank details for the next claim. It is not. The money goes out, and because nobody verified the change by phone, it is gone before anyone notices. This is business email compromise, and NDIS providers are squarely in the firing line because invoicing and payment changes are constant and normal.
The second is the leaver who never really left. A support worker resigns, but their Microsoft 365 account stays active for months because offboarding is a mental note, not a process. They still reach participant records and rosters from a personal device nobody manages. The third is the one that ends businesses: ransomware locks every progress note and plan, and there is no backup that has actually been tested, so the provider cannot prove care was delivered, cannot invoice, and faces a reportable breach under the Privacy Act and NDIS Practice Standards all at once.
For a 5 to 50 staff Perth provider, the cost is not just the lost payment. It is days of staff unable to access rosters or notes, an NDIS Quality and Safeguards Commission notification, participant trust gone, and an audit that suddenly turns hostile because you cannot show who accessed what.
Most NDIS providers in Perth are already paying for Microsoft 365 and using a fraction of what they pay for. We turn on the protection that is sitting dormant in your licences.
We also run a SharePoint and OneDrive permissions audit, because the most common quiet exposure we find is a "Support Team" folder shared with everyone who ever worked there, including the leavers.
NDIS providers carry two obligations at once: the Privacy Act for the personal and health information you hold, and the NDIS Practice Standards, which expect you to manage information securely and control access to participant records. Most providers can write the policy. Far fewer can prove it on the day an auditor or a breach notification asks them to.
That proof is exactly what the Microsoft tools above produce as a side effect of doing security properly: access logs in Entra ID, data location and handling records in Purview, recoverable backups you can demonstrate, and a clear offboarding trail showing the leaver lost access the day they left. We do not sell you a certificate. We show you what is exposed today, fix it, and leave you with evidence you can put in front of the Quality and Safeguards Commission, your cyber insurer, or a participant's family who asks how their data is kept safe.
If you are not certain a former support worker still cannot reach your participant records, or whether your backups have ever actually been restored, that uncertainty is the finding. A Free Cyber Risk Snapshot is a 30-minute external look at your real exposure with a plain-English report you can act on. Book it at calendly.com/corewest/30min.