Is Your NDIS Business Communicating on WhatsApp?
Here's Why That's a Problem.
A lot of NDIS providers we talk to are running their team communication on WhatsApp, Facebook Messenger, or Telegram. Group chats for Support Workers, direct messages about Participant schedules, and in some instances, personal information are being shared through these platforms.
It's convenient. Everyone already has it on their phone. And it feels like it's working. The problem isn't that these platforms are bad tools for personal use.
The problem isn't that these platforms are bad tools for personal use. The problem is that these platforms, whether providers know it or not, are not compliant with Australian privacy laws.
What's actually being shared in those group chats?
Think about what a typical NDIS team communicates about in a given week.
Shift changes involving specific Participants. Support plans are passed between workers, a message about a Participant's medication or behaviour. A worker asks about a Participant’s new address before their support.
This is sensitive personal information. And when it's sent through WhatsApp or Facebook Messenger, it's no longer just inside your organisation.
The Australian Privacy Act 1988 and what it requires
The Australian Privacy Act 1988 sets out how organisations must handle personal information. For NDIS providers, who regularly handle sensitive information about people's health, disability, and daily lives, these obligations are significant.
The Australian Privacy Principles (APPs), which form part of the Act, include specific requirements about how personal information is stored, protected, and disclosed. Of particular relevance is the cross-border disclosure principle: when personal information is sent to an overseas entity, the disclosing organisation is generally responsible for ensuring that entity handles the information in a way that meets Australian standards.
WhatsApp, Facebook Messenger, and Telegram are all operated by overseas companies. Meta (which owns both WhatsApp and Facebook Messenger) is a US-based company. Its servers process and store data in the US and other international locations. Telegram operates across multiple international jurisdictions.
When a Support Worker sends a Participant's name, address, or care details through one of these platforms, that information is being processed by an overseas third party.
There is no data processing agreement between your organisation and that platform. There is no guarantee the information is being handled to the standard the Privacy Act requires.
This creates a serious privacy risk, not a technical one, but a compliance one.
The oversight problem is just as serious
Even if you set aside the privacy law question, there's a more immediate practical problem: you have no oversight.
When your team communicates on WhatsApp, you can't see what's being said.
You can't search for it.
You can't audit it.
If a complaint is made, about something a Support Worker said, or information that was shared inappropriately (via a chat you can’t oversee), you have no way to go back and review the conversation.
On top of that, you have no control over who's messaging whom. There's nothing stopping a Support Worker from starting a conversation with anyone in the organisation, or from sharing information that should stay between specific people.
It's the kind of thing that creates real problems when things go wrong, and in the NDIS sector, things sometimes go wrong.
I've seen this play out first-hand as a provider.
A staff member in an office role was part of a Support Worker group chat on Facebook Messenger. At some point, they started offering tax advice in that group.
Whether the advice was accurate or not almost doesn't matter. What matters is that Support Workers received it from someone they associated with the organisation, and treated it accordingly. When you're a Support Worker, and someone from the head office says something in a chat, you're probably going to take it seriously.
When we became aware of it, we asked the person to leave the conversation, and had a direct conversation about the appropriateness of those channels with them about what's appropriate in those channels and what isn't. But the reality is: we only found out by chance. There was no audit trail. No way to see what had been said before we became aware of it, or who had acted on it.
That's the thing about unmanaged group chats. The risk isn't always a data breach. Sometimes it's just someone saying something they shouldn't, and you have no way to know until it's already caused a problem.
What compliant team communication actually looks like
Compliant communication for NDIS providers isn't complicated. It comes down to a few things:
It stays inside your systems. Participant information should be handled in platforms that are part of your organisation's managed environment, not third-party consumer apps that have no obligation to your compliance requirements.
It has an audit trail. If you ever need to review what was communicated and when, you should be able to. That's not possible on WhatsApp.
You control it. You should be able to decide who can communicate with who, what channels exist, and what gets shared. That's not something you can configure on Facebook Messenger.
It doesn't rely on personal devices in an unmanaged way. When team communication happens on personal messaging apps, your organisation's information effectively sits on staff members' personal phones with no controls in place. That's a risk most providers don't think about until it matters.
What this means for your team day-to-day
We're not suggesting your team stops communicating. That would make running a support organisation impossible.
What we are suggesting is that team communication happens in a platform designed for it, one that keeps information inside your organisation, gives you visibility when you need it, and puts you in control of how your team connects.
That's exactly what Astalty Chat is built for. It's built-in messaging for NDIS providers: channels, direct messages, and the ability to control who can communicate with who, all inside the platform your team already uses for rostering, scheduling, and the delivery of support.
If your team is still on WhatsApp, let's discuss Astalty Chat and how it can work for your team.
