The Work Health and Safety regime that applies to Australian businesses is built on the Model WHS Act, drafted by Safe Work Australia, and enacted in seven of the eight Australian jurisdictions. Victoria runs a separate-but-similar regime under the Occupational Health and Safety Act 2004 (Vic). Western Australia adopted the Model framework in 2022 with some local variations. The Northern Territory operates the Model with minor amendments.
For a small or medium-sized business, the practical effect is that the obligations are largely the same wherever you operate, but the regulator, the penalty units, and the notification procedures differ by state. This guide walks through what every Australian PCBU is required to do under the WHS regime, what a compliant WHS Policy actually contains, and how to keep one alive past its delivery date.
What is a PCBU and are you one?
The Model WHS Act centres on the concept of a Person Conducting a Business or Undertaking (PCBU). The definition is deliberately broad: a sole trader, a partnership, a company, an unincorporated association, a charity, or a government department all qualify. Volunteers do not, in most cases. Workers in their personal capacity do not.
If you employ anyone, contract anyone, host anyone on your premises, or expose any third party to the work you do, you are a PCBU and the WHS Act applies to you. The duty exists whether or not you have a written policy, registered for workers compensation, or completed any compliance documentation. The documentation is evidence that you discharged the duty. It does not create the duty.
The primary duty of care
Section 19 of the Model WHS Act is the heart of the regime. It imposes on a PCBU a duty to ensure, so far as is reasonably practicable, the health and safety of:
- Workers engaged or caused to be engaged by the PCBU.
- Workers whose activities are influenced or directed by the PCBU.
- Other persons who may be put at risk by the work.
"Reasonably practicable" is defined in section 18. It requires weighing five factors: the likelihood of the hazard or risk occurring, the degree of harm, what the PCBU knew or ought reasonably to have known, the availability and suitability of ways to eliminate or minimise the risk, and the cost.
This is the language a regulator and a court will use to assess whether your business met its duty after an incident. The single most important thing your WHS Policy does is provide written evidence that you considered each of these factors for the hazards your business actually faces.
What a compliant WHS Policy contains
A WHS Policy is not a legal disclaimer. It is the operating document that sets out, in plain English, how your business manages health and safety. The structure that survives scrutiny by inspectors, insurers, and head contractors looks like this:
1. Commitment statement
A short statement, signed and dated by the PCBU (the director or owner), committing to comply with the WHS Act and to provide a safe workplace. Two paragraphs, not two pages. The signature is the part that matters.
2. Scope
Who and what the policy applies to. Workers, contractors, visitors, volunteers. The premises, the vehicles, the work performed off-site. This sounds trivial. It isn't. A policy that doesn't define its scope will fail an audit because it fails the most basic question of what does this document cover?
3. Roles and responsibilities
Named roles, named duties. The PCBU's duties under sections 19, 27, and 28. The responsibilities of supervisors, of workers under section 28, of contractors. If you have a Health and Safety Representative or a Health and Safety Committee, name them and their authority.
4. Risk management framework
A short description of how your business identifies, assesses, controls, and reviews hazards. Should reference the hierarchy of controls — eliminate first, substitute second, engineer third, administrate fourth, PPE last — because that is the framework the regulator uses.
5. Specific controls for your industry
This is where templates fall apart. A construction WHS Policy needs sections on heights, electrical, plant, and confined spaces. A clinical WHS Policy needs sections on sharps, infection control, and patient handling. A hospitality WHS Policy needs sections on knives, burns, slips, and late-night security. Generic templates have a generic risk register. A real policy has your risk register.
6. Incident notification and recording
The procedure for recording an incident, the procedure for investigating it, and the procedure for notifying the regulator if it qualifies as a notifiable incident under section 35 (death, serious injury or illness as defined in section 36, or a dangerous incident under section 37). The notification timeframes are short — immediate for death, "as soon as the PCBU becomes aware" for the others — and the policy must name the responsible person.
7. Worker consultation
Section 47 of the Act requires PCBUs to consult, so far as is reasonably practicable, with workers on health and safety matters. The policy should describe how that consultation happens — toolbox talks, prestart meetings, an annual review, the HSR process if applicable.
8. Training and competency
How workers are inducted, how they are trained on the specific hazards in their role, and how that training is recorded. The policy should reference the Training Register that ships alongside it.
9. Review schedule
When the policy is reviewed and by whom. The recommended cadence is annually at minimum, plus on a triggering event (incident, change in regulation, change in business activity). If the policy doesn't have a review date, it has no defence in an investigation.
10. Sign-off panel
The PCBU's signature, the date, and the version number. This is the legal moment the policy comes into force.
The state-by-state regulators
The duties are largely uniform across the harmonised states. The regulators, the penalty regimes, and the inspection postures differ.
| Jurisdiction | Regulator | Key statute |
|---|---|---|
| NSW | SafeWork NSW | WHS Act 2011 (NSW); WHS Regulation 2017 (NSW) |
| VIC | WorkSafe Victoria | OHS Act 2004 (Vic); OHS Regulations 2017 (Vic) |
| QLD | Workplace Health and Safety Queensland | WHS Act 2011 (Qld); WHS Regulation 2011 (Qld) |
| WA | WorkSafe WA | WHS Act 2020 (WA); WHS Regulations 2022 (WA) |
| SA | SafeWork SA | WHS Act 2012 (SA); WHS Regulations 2012 (SA) |
| TAS | WorkSafe Tasmania | WHS Act 2012 (Tas); WHS Regulations 2022 (Tas) |
| ACT | WorkSafe ACT | WHS Act 2011 (ACT); WHS Regulation 2011 (ACT) |
| NT | NT WorkSafe | WHS (National Uniform Legislation) Act 2011 (NT) |
A multi-state operator must hold a WHS Policy that complies with the regulator that has jurisdiction over each location of work. PolicyPack handles this by generating jurisdiction-specific clauses for the locations you specify.
The five most common WHS Policy failures
After reviewing several thousand WHS Policies submitted to head contractor pre-qualification platforms, five failure patterns dominate.
The first is generic content. The policy is clearly a downloaded template, with placeholder language ("[insert business name here]") that didn't get replaced, or with a risk register that lists hazards the business doesn't actually face. Auditors recognise this within a page.
The second is staleness. The policy was written in 2019 or 2020 and hasn't been reviewed since. The regulator's expectations have moved. The policy hasn't.
The third is unsigned. The PCBU never signed the document. The signature panel exists but is blank. This is a categorical failure — a policy without sign-off is not a policy.
The fourth is missing notification flow. The policy doesn't describe how a notifiable incident is escalated to the regulator. Given that section 38 requires notification "as soon as the PCBU becomes aware," a policy without this flow exposes the PCBU directly.
The fifth is no consultation evidence. The policy claims worker consultation but the business has no toolbox-talk records, no prestart sign-ins, no HSR meeting minutes. The Act doesn't require any specific format for the evidence — it requires that consultation actually happen — but in an investigation, the absence of any evidence at all is taken as the absence of consultation.
How a Subscription keeps your policy alive
The amendments cycle is the real challenge. The Model WHS Regulations are amended on a rolling basis through Safe Work Australia. The state regulators issue updated Codes of Practice every 18 to 36 months. The Privacy Act 1988 was reformed in late 2024 in a way that affects every business that handles personal information.
A static WHS Policy goes out of date the day it's printed. The Subscription tier exists to solve this: when a regulation underneath your pack changes, the affected sections regenerate and you receive a notification with a diff showing what changed, why, and what you need to review.
For a small business, this is the difference between we have a compliance system and we had one, once.
What to do next
If you don't have a WHS Policy: generate one. The build flow takes about four minutes. The pack lands in 20.
If you have an old one: read it against the structure above. If it fails on any of the ten sections, regenerate.
If you have a current one but you're not sure it's holding up: download our sample pack and compare. If your policy reads like the sample — current, structured, jurisdiction-specific, signed — you're in good shape. If it doesn't, you have a project to do.
The cost of doing the project well is $199. The cost of doing it badly is the difference between a Provisional Improvement Notice and a personal liability claim under the new industrial manslaughter regimes. The economics aren't subtle.
Build your pack
Stop reading. Generate the pack.
PolicyPack writes the documents this guide describes — for your specific industry, jurisdiction, and operational scope. Twenty minutes. $199.