The Risks of Storing NDIS Data in Spreadsheets or Google Sheets: Compliance and Security Considerations

Introduction: The Risks of Storing NDIS Data

In the rapidly evolving digital landscape, data security and regulatory compliance are critical concerns for businesses handling sensitive information. For registered providers under the National Disability Insurance Scheme (NDIS), ensuring data security is paramount, given the stringent cyber security requirements set by the National Disability Insurance Agency (NDIA). Despite the convenience of spreadsheets and cloud-based tools like Google Sheets, these platforms present significant risks when handling identifiable or re-identifiable NDIS data. This article explores these risks, emphasises the requirement for data to be stored in Australia, and outlines best practices for compliance. Additionally, we discuss the benefits of using an NDIS-specific, ISO 27001-compliant software solution.

The Risks of Using Spreadsheets or Google Sheets for NDIS Data Storage

While spreadsheets and cloud-based solutions like Google Sheets offer ease of use and accessibility, they pose serious security vulnerabilities when handling NDIS participant data. Below are some key risks:

1. Lack of Encryption and Data Protection
   • The NDIA mandates that all identifiable or re-identifiable data must be encrypted at rest and in transit using approved encryption algorithms. Most spreadsheets and Google Sheets do not meet these encryption standards, making them unsuitable for storing sensitive data.
2. Inadequate Access Control and Auditing
   • NDIA data must be restricted to staff with a defined “need to know.” Spreadsheets lack robust user access control mechanisms, making it difficult to track who accesses or modifies data.
   • Google Sheets allows sharing through links, which increases the risk of unauthorised access and data breaches.
3. Data Residency and Compliance Issues
   • The NDIA explicitly requires that all identifiable data must be stored within Australia, including backups and archives. Google Sheets and other cloud-based platforms may store data in international servers, violating this requirement.
   • This non-compliance exposes registered providers to potential regulatory action and penalties.
4. Lack of Cyber Incident Management
   • NDIA requires organisations handling its data to have a tested Cyber Incident Management process. Spreadsheets and Google Sheets do not provide built-in monitoring or intrusion detection mechanisms, increasing the risk of unreported breaches.
5. Absence of Version Control and Audit Logs
   • The NDIA mandates logging and auditing of all data access and changes. Spreadsheets offer limited version control, making it challenging to track unauthorised modifications or detect potential data leaks.

Compliance Requirements for Registered Providers

To ensure compliance with NDIA cyber security requirements, registered providers should implement the following actions:

1. Use Encrypted and Secure Data Storage
   • Ensure that all NDIS data is stored in Australia on encrypted and secure servers that meet the Advanced Encryption Standard (AES) 256-bit encryption.
2. Implement Access Controls
   • Restrict data access based on role-based permissions and ensure that only authorised personnel can access identifiable NDIS data.
   • Maintain an audit log of all data access and modifications.
3. Develop a Cyber Incident Management Plan
   • Have a documented and tested process for detecting, reporting, and responding to cyber incidents.
   • Notify the NDIA immediately in case of any data compromise.
4. Adopt an NDIS-Specific, ISO 27001-Compliant Software Solution
   • Ensure that any software used for storing and processing NDIS data is ISO 27001 certified, as this standard ensures a robust information security management system (ISMS).

The Benefits of Using an NDIS-Specific, ISO 27001-Compliant Software

ISO 27001 compliance is a globally recognised standard for information security management. For NDIS providers, using an ISO 27001-certified software solution offers the following benefits:

1. Enhanced Security
   • Ensures compliance with NDIA’s stringent security requirements, including data encryption, access control, and vulnerability management.
2. Data Residency Compliance
   • Guarantees that all NDIS data is stored within Australia, as required by NDIA regulations.
3. Automated Compliance Management
   • Provides built-in compliance features such as audit logging, access tracking, and cyber incident management, reducing administrative overhead.
4. Scalability and Operational Efficiency
   • Streamlines operations by integrating case management, invoicing, and reporting into a single secure platform, minimising reliance on insecure spreadsheets.

Conclusion and Recommendation

Given the significant risks associated with storing NDIS data in spreadsheets or Google Sheets, registered providers should strongly consider transitioning to an NDIS-specific, ISO 27001-compliant software solution. Such platforms provide enhanced security, regulatory compliance, and operational efficiency while mitigating the risks of data breaches and non-compliance penalties. By adopting a secure and compliant solution, registered providers can safeguard sensitive participant information and maintain trust in their services.

For organisations handling NDIS data, investing in purpose-built software is not just a best practice—it is a necessary step toward ensuring data security and compliance with NDIA requirements.

Author: Adrian Jenkinson

‍