Psychosocial Safety Obligations: What Employers Need to Do

SafeWork NSW released its Psychological Health and Safety Strategy 2024-2026 on 22 May 2024, committing to a 25% annual increase in compliance visits and a dedicated focus on workplaces with 200 or more workers. In March 2026, the regulator deployed 20 new psychosocial inspectors as part of a 51-inspector expansion. On 19 December 2025, Comcare secured the first-ever Commonwealth employer penalty for a death caused by psychological harm: the Department of Defence was convicted under section 33 of the Work Health and Safety Act 2011 (Cth) and fined $188,000 in a decision handed down by Magistrate Brett Thomas in the NSW Local Court.

The enforcement environment is no longer theoretical. Where two years ago an employer could reasonably treat psychological health and safety as an emerging issue, the regulators in NSW, QLD, SA, VIC, and WA, along with Comcare federally, have all moved into active enforcement mode. The Codes of Practice that operationalise the obligations have been progressively rolled out across jurisdictions since 2022, and the Commonwealth Code (which applies to federal employers and federally-regulated industries) took effect in late 2024.

For employers in the national WHS system, the obligations are clearer than the day-to-day compliance work suggests. The Work Health and Safety Act 2011, the health and safety legislation adopted in every state and territory except Victoria, places two primary duties on every business: the primary duty of care under section 19, owed so far as is reasonably practicable (and confirmed by the courts to extend to psychological as well as physical health), and the officer due diligence duty under section 27 (which sits on directors and senior decision-makers personally, not on the company alone).

Psychosocial hazards are aspects of work and working environments with the potential to cause psychological or physical harm through a sustained stress response.

This guide covers what those duties actually require, how the four-step risk management methodology applies to psychosocial hazards specifically, how state variation works (with the QLD Code of Practice 2022 as the canonical Brisbane reference), and the consultation and documentation steps that mark the difference between defensible and exposed compliance.

What WHS section 27 actually requires of officers

The officer due diligence duty under section 27 of the WHS Act is the personal liability provision that many directors do not realise applies to them. The duty sits on every "officer" of the business. The Act adopts the section 9 Corporations Act definition, which includes:

• Company directors
• Company secretaries
• Anyone who makes or participates in decisions affecting the whole or a substantial part of the business
• Anyone with capacity to significantly affect the company's financial standing
• Anyone on whose instructions directors are accustomed to act

For most SMEs, this captures the owner-directors and the senior managers who run the business day-to-day. It is not limited to whoever is on the ASIC register as a director.

Section 27(5) defines "due diligence" by reference to six specific elements. An officer must take reasonable steps to:

1. Acquire and keep up-to-date knowledge of work health and safety matters
2. Gain an understanding of the nature of the operations of the business and the hazards and risks associated with those operations
3. Ensure the business has and uses appropriate resources and processes to eliminate or minimise risks to health and safety
4. Ensure the business has appropriate processes for receiving and considering information about incidents, hazards, and risks, and for responding in a timely way
5. Ensure the business has and implements processes for complying with any duty or obligation under the Act
6. Verify the provision and use of the resources and processes set out above

The duty is proactive. It is also non-delegable. An officer cannot discharge their personal duty by appointing a safety manager or engaging a consultant; both can support discharge of the duty, but the legal responsibility remains on the officer.

Failure to exercise due diligence can attract a penalty on the officer personally, separate from any penalty on the business, and can apply even where the business is not separately convicted. The maximum personal penalty for a Category 1 offence is currently five years' imprisonment or a substantial fine (the dollar figure is indexed and varies between jurisdictions).

Managing psychosocial hazards: identify, assess, control, review

The risk management process for psychosocial hazards follows the same four-step structure that applies to physical hazards under the Work Health and Safety Regulations 2011 (Cth) and their state equivalents. The order is fixed and the steps are sequential.

Step 1: Identify the hazards. The common psychosocial hazard categories named in the relevant Code of Practice cover both the design of work (high job demands, low control, poor support, role clarity, organisational change, recognition and reward, organisational justice) and the way workplace behaviour is managed (workplace bullying, sexual harassment, conflict or poor workplace relationships, occupational violence and aggression, exposure to traumatic events or material). Identification of psychosocial hazards and risks is not done by survey alone. The standard sources are direct worker consultation, incident and complaint records, sick leave and turnover patterns, exit interview themes, and where applicable, dedicated psychosocial risk audits. See the Safe Work Australia psychosocial hazards resource page for the model categories.

Step 2: Assess the risk. For each identified hazard, the assessment considers the likelihood of harm, the severity if harm occurs, the duration and frequency of worker exposure, and the existing controls in place. Assessment is documented. The Code of Practice requires a written record, even where the conclusion is that the risk is low.

Step 3: Control the risk. The WHS Regulations require controls to be applied using the hierarchy of control. For psychosocial hazards the hierarchy applies as follows:

• Elimination: redesign work to remove the hazard (for example, removing a shift pattern that produces unsustainable demands)
• Substitution: replace the hazardous element with a less hazardous one
• Engineering controls: change the physical or systemic environment
• Administrative controls: training, procedures, policies, supervision
• Personal-protective measures: support services, EAP, individual coping resources

Administrative controls and EAPs are the most common starting point and the weakest in the hierarchy. Where the assessment identifies a structural cause, the control response should engage the higher levels of the hierarchy first; administrative measures alone rarely control risks at their source, and preventative redesign is what regulators look for.

Step 4: Review and revise. Controls must be reviewed at scheduled intervals, after any incident, after any significant change to the work, and on request from a Health and Safety Representative or worker representative. The review is documented and the conclusions feed back into the next risk assessment cycle.

The four steps form a continuing cycle for managing psychosocial risks; the duty to manage hazards does not end with a one-off compliance exercise. An officer's section 27 duty includes the maintenance of the cycle.

The Codes of Practice and how state variation works

Codes of Practice operationalise the WHS Act by setting out the standard a regulator expects of a duty holder for a particular hazard. They are evidence of what is "reasonably practicable" under the Act and are admissible in prosecutions; in practice, they translate the employer's duty into concrete steps for controlling the risk of harm before it eventuates.

The current psychosocial Codes:

• Commonwealth (Comcare jurisdiction): Work Health and Safety (Managing Psychosocial Hazards at Work) Code of Practice 2024, in force from late 2024
• QLD: Managing the risk of psychosocial hazards at work Code of Practice 2022, in force 1 April 2023. This is the canonical Brisbane reference. Get a current copy from WorkSafe Queensland's Code of Practice page
• NSW: Code of Practice: Managing psychosocial hazards at work, in force May 2024
• VIC: separate statutory regime under the Occupational Health and Safety Act 2004; psychosocial-specific regulations commenced 1 December 2025
• WA, SA, ACT, NT, TAS: state-specific codes, generally aligned to the Safe Work Australia model

For an employer with operations in more than one state, the applicable Code is determined by where the workers are located, not where the head office is registered. A QLD employer with five staff in Sydney has WHS obligations in both states, applies the QLD Code to the QLD workforce, and the NSW Code to the NSW workforce. Where the codes differ, the safer course is to apply the more rigorous standard across the business.

Officers should keep a current copy of the applicable Code and use it as the operational reference, not a second-hand summary.

Consultation requirements for psychosocial risks

Section 47 of the Work Health and Safety Act requires a business to consult with workers (and HSRs where elected) on matters affecting their health or safety. The duty applies to psychosocial matters as it does to physical matters.

Practical consultation for psychosocial hazards:

• Inform workers of the hazard assessment process and invite input
• Provide reasonable opportunity for workers to raise psychosocial concerns
• Engage HSRs (where elected) at the same standard as for physical risks
• Provide feedback on the consultation outcomes, not just collect input and move on
• Document the consultation process, the views raised, and the response

Where the business has no elected HSRs, the consultation duty still applies and is conducted directly with workers. Where workers are represented by a union for relevant industrial purposes, consultation through the union representative is generally appropriate.

The consultation duty is independent of the consultation obligation under modern awards (the redundancy and major change provision). The two duties can run simultaneously where a workplace change has both WHS and industrial implications.

The QLD Sexual Harassment Prevention Plan and how it interacts

From 1 March 2025, every PCBU in QLD that identifies a psychosocial risk relating to sexual harassment is required to implement a written Sexual Harassment Prevention Plan. The plan is a state-specific obligation under the QLD WHS Regulation, operating alongside the federal Positive Duty under the Sex Discrimination Act and the QLD Code of Practice 2022.

The plan must:

• Identify the workers exposed to the risk
• Document the control measures in place and the basis for those measures
• Set out the consultation that produced the plan
• Be reviewed at least annually and after any relevant incident

For a Brisbane SME, the practical effect is that the documented assessment must specifically address this risk, and the resulting controls must sit in a dedicated plan rather than rolled up into a general harassment policy. The plan is the document a Workplace Health and Safety Queensland inspector will ask for if a complaint is investigated.

Documentation and record-keeping for psychosocial hazards

Psychosocial safety compliance lives or dies on its documentation. The Code of Practice does not contemplate compliance through informal management practice. The records an officer should be able to produce on inspection are:

• The psychosocial risk register: identified hazards, exposed workers, severity and likelihood, existing controls, residual risk rating, review date. Updated continuously, not annually.
• The consultation record: dates of worker consultations, what was raised, what response was given, who participated. The level of formality scales with the size of the business; a five-person business may consult through a team meeting and a written summary, while a fifty-person business may run a more structured process with HSR involvement.
• The training register: who has completed psychosocial safety training, when, and on what topics. This is the document that demonstrates "appropriate resources and processes" under section 27(5)(c). An untrained workforce is not a controlled workforce.
• The incident log: psychosocial incidents reported, how they were handled, what the post-incident review found, and what controls were updated as a result. Section 38 notifiable incidents (serious injury, illness, or death) still apply; psychological injury can be a notifiable incident in defined circumstances.
• The review record: the dates and outcomes of scheduled and trigger-based reviews of the controls. A nil-change review is a valid review, but only if it is documented.
• The current Code of Practice: the applicable state Code (and the Commonwealth Code for federal employers) on hand and in current edition, with a record of when it was last reviewed against the business's practice.

Retention periods are five years for most WHS records under the model WHS Regulations. Workers compensation, incident notification, and exposure records can have longer retention requirements depending on the state or territory. A documented retention schedule, set against the regulations applicable to the business, sits within the section 27 due diligence duty.

The practical test of a defensible documentation set is whether an officer who has been off-site for six months could walk back in, ask for the register, the consultation record, and the training log, and within an hour have a current picture of the psychosocial compliance position. If the answer is no, the documentation gap is the first compliance gap to close.

Psychosocial compliance is the area of workplace safety where the gap between policy and practice is widest in Australian SMEs. The compliance work is not glamorous: hazard identification, written risk assessment, documented controls, scheduled review, and a current Code of Practice on the shelf. None of it is hard. All of it is the difference between a defensible position and an exposed one. Brookvale HR Solutions provides psychosocial safety compliance work under the Psychosocial Safety Guard, led personally by Daniel Holbrook, whose WHS background includes Certificate IV in Work Health and Safety and current experience advising employers across dozens of industries including defence, education, manufacturing, professional services, and hospitality, among others. Call Daniel on 1300 23 44 23. If you are not sure where your business stands, the scenario assessment is the right starting point.

Psychosocial compliance is documentation work, not aspiration work. The four-step methodology produces a defensible position even where the underlying workplace is imperfect. An exposed position is not produced by imperfect conditions; it is produced by undocumented ones. A safe workplace, in the regulator's eyes, is a documented one.