Federal Court Imposes $1.1 Million Penalty on NDIS Provider for Systemic Failures

Federal Court Imposes $1.1 Million Penalty on NDIS Provider for Systemic Failures

When Do Reporting Failures Become Systemic Non-Compliance?

The Federal Court of Australia (the Court) has handed down a significant decision reinforcing that incident reporting and participant safety are at the core of the National Disability Insurance Scheme (NDIS) regulatory framework.

In Commissioner of the NDIS Quality and Safeguards Commission v Oak Tasmania (the Decision), the Court imposed a $1.1 million penalty after finding widespread failures in both incident reporting and the delivery of safe and appropriate care.

The Decision highlights a growing regulatory focus: where compliance systems fail at scale, the consequences will be substantial – even for not-for-profit providers.

Background

Oak Tasmania (Oak) is a registered NDIS provider that has operated since July 2019. The proceedings were brought by the Commissioner of the NDIS Quality and Safeguards Commission (the Commissioner) in relation to conduct spanning several years.

Oak made admissions to the contraventions. The parties jointly proposed declarations and a penalty, leaving the Court to determine whether those outcomes were appropriate in the circumstances.

The Decision therefore provides a clear and structured example of how the Court approaches NDIS enforcement, agreed penalties, and systemic compliance failures.

The Key Issues Before the Court

The Court was required to consider three central questions:

1. Whether Oak had contravened its obligations under the NDIS legislative framework;
2. Whether formal declarations of those contraventions should be made; and
3. Whether the proposed $1.1 million penalty was appropriate.

This Decision emphasises two types of obligations: incident reporting requirements and the duty to provide safe and competent supports and services.

474 Failures to Report Incidents

A significant aspect of the Decision was Oak’s failure to comply with mandatory reporting obligations. The Court found that Oak failed to notify the Commissioner of reportable incidents on 474 occasions. Some of these incidents required notification within 24 hours, while others required reporting within five business days.

These obligations are not procedural formalities. As the Court emphasised, they are critical to enabling the regulator to detect risks, respond to harm, and identify systemic issues across the
sector.

Failures of this scale meant that the regulator was deprived of timely information, limiting its ability to intervene and protect participants.

Failures in Care and Service Delivery

In addition to reporting breaches, the Court found that Oak failed to provide services in a safe and competent manner across multiple incidents involving different participants.

These failures included unsafe supported accommodation, inadequate mealtime support, poor risk management, and interruptions to essential services. The Court accepted that these failures exposed participants – who are among the most vulnerable members of the community – to harm or, at the very least, a serious risk of harm.

This conduct amounted to breaches of both the NDIS Code of Conduct and the NDIS Practice Standards, which require providers to deliver supports with appropriate care, skill, and attention to individual needs.

Why Reporting Obligations Matter

Incident reporting is fundamental to the integrity of the NDIS system.

The Court made clear that delays or failures in reporting do more than breach administrative rules. They can:

• prevent timely intervention by the regulator;
• delay responses to harm or risk; and
• undermine broader efforts to identify patterns of unsafe care.

Reporting obligations are directly connected to participant safety, not merely compliance processes.

The $1.1 Million Penalty

The Court ultimately imposed a $1.1 million pecuniary penalty, along with $200,000 in costs. Although the maximum theoretical penalties were far higher, the Court accepted the agreed penalty as falling within an appropriate range. In doing so, it applied well-established principles, particularly the need for general and specific deterrence.

The Court emphasised that penalties must be high enough to ensure that non-compliance is not seen as an acceptable cost of doing business – especially in a sector involving vulnerable individuals.

Factors Influencing the Outcome

Several factors shaped the Court’s approach. The conduct was considered serious due to its scale and the risks posed to participants. The failures were not isolated; they reflected systemic issues in reporting processes and service delivery.

At the same time, Oak’s cooperation was significant. It made admissions to the breaches early, worked with the regulator, and avoided prolonged litigation. It also implemented corrective measures, including improved reporting systems, staff training, and revised policies.

The Court also took into account organisational changes, including new ownership and leadership, which reduced the need for specific deterrence. Nevertheless, the seriousness of the conduct meant that a substantial penalty was still required.

What This Means for NDIS Providers

This Decision reinforces that compliance under the NDIS is not simply about having policies in place. Providers must ensure those systems are effective in practice and consistently followed.

In particular, providers should be aware that:

• Incident reporting must occur within strict timeframes, and failures – especially repeated ones – will be treated as serious breaches;
• Service delivery must meet the required standards of safety, competence, and
  individualisation. Gaps in care, even if unintentional, can expose providers to liability;
• Regulators are increasingly focused on systemic issues. Where failures occur at scale, enforcement action is likely to follow, and;
• Cooperation and remediation can reduce penalties, but they will not eliminate the need for a strong deterrent response where conduct is serious.

This Decision is a clear reminder that the NDIS regulatory framework is designed to protect some of the most vulnerable people in the community. Where providers fail to meet these obligations – particularly in ways that are repeated or systemic – the consequences will be significant.

For organisations, the key takeaway is simple: compliance must be active, embedded, and effective, not just documented.

How Can Safe Space Legal Help?

The team at Safe Space Legal has extensive experience working with organisations in the disability sector, to support and strengthen their safeguarding practices and ensure organisations are meeting their legal obligations when working with people with disability. We work with organisations across Australia and frequently conduct independent safeguarding
investigations.

Safe Space Legal offers holistic safeguarding services including:

• Developing safeguarding policies, procedures and complaints-handling processes;
• Delivering safeguarding training to ensure organisations are aware of their obligations and sector-specific requirements;
• Conducting trauma-informed specialist safeguarding investigations into allegations of violence, abuse, neglect and exploitation in the disability sector;
• Providing expert advice on safeguarding compliance and systemic issues;
• Conducting root cause analyses of critical incidents and crisis management;
• Providing sound legal advice on risk mitigation; and
• Completing policy and implementation audits to ensure compliance with legislative obligations.

Contact office@safespacelegal.com.au or call (03) 9124 7321 to organise a complementary discussion in relation to your organisation’s safeguarding needs.