A note before we start.
We’re eLearning developers, not lawyers. The information below is current as of May 2026 and reflects our understanding of Australian regulatory requirements from our work with clients across compliance and risk training. It is not legal advice. For any specific compliance question, talk to a workplace relations lawyer.
With that out of the way: this post exists because every time we onboard a new client into a compliance training project, we have roughly the same conversation. They’ve heard they “need to do” sexual harassment training. They’re not sure exactly what that means, who it applies to, what’s mandatory versus expected, or what would hold up if they got audited.
This is the post we wish existed when those conversations started. A practical overview of what Australian organisations actually need to deliver in 2026.
The Big One: The Positive Duty
In December 2022, the Australian government amended the Sex Discrimination Act 1984 to introduce what’s called the positive duty.
Before the positive duty, employers had to respond to sexual harassment when it happened. After the positive duty, employers must take “reasonable and proportionate measures” to actively prevent it — before any incident occurs.
This is the single biggest shift in Australian workplace compliance in a decade.
What changed in practical terms:
- Employers are now responsible for prevention, not just response.
- The Australian Human Rights Commission (AHRC) has enforcement powers, including the ability to investigate, issue compliance notices, and enter into enforceable undertakings.
- “Reasonable and proportionate” scales to your organisation. A 50-person business and a 5,000-person business face the same duty, but what they need to do to meet it looks different.
What this means for training:
The positive duty doesn’t legislate a specific training program. It doesn’t say “all staff must complete a 30-minute course every two years.” It says employers must take reasonable steps to prevent harassment, and training is universally understood as one of those steps. The AHRC has published guidance that explicitly names training as a core component of compliance.
If your organisation hasn’t delivered sexual harassment prevention training to all workers — including contractors, volunteers, and interns — in the last two years, you have a positive duty problem. Whether or not you’ve had any incidents.
Most Australian organisations refresh this training annually or every two years, depending on size and risk profile.
The Other Compliance Topics
Sexual harassment gets the most attention because of the positive duty, but it’s not the only compliance training Australian employers are expected to deliver. Here’s the practical landscape.
Work Health and Safety (WHS)
Every Australian employer has duties under WHS legislation — federally the Work Health and Safety Act 2011, with state variations. WHS training isn’t a single course; it’s a set of training requirements depending on the role.
For all workers: general WHS awareness, including hazard identification, incident reporting, and emergency procedures. Usually delivered at induction and refreshed periodically.
For specific roles: more targeted training. Manual handling, working at heights, chemical safety, machinery operation, first aid. These depend on the job.
Important development: psychosocial hazards (including harassment, bullying, fatigue, and work-related stress) are now formally treated as WHS hazards, not just HR issues. NSW formally adopted a Healthcare and Social Assistance Industry Code of Practice in February 2026 that makes this explicit. Other states are following.
What this means in practice: sexual harassment training and WHS training are converging. They cover the same ground from different regulatory angles. A well-designed compliance program treats them as connected, not separate.
Anti-Discrimination Training
Australia has multiple anti-discrimination laws — federal (Sex Discrimination Act, Racial Discrimination Act, Disability Discrimination Act, Age Discrimination Act) and state-level (each state has its own anti-discrimination legislation).
There’s no single mandate that says “all workers must complete anti-discrimination training.” But the practical expectation is universal: training is one of the standard “reasonable steps” an employer takes to prevent unlawful discrimination, and a defence to vicarious liability claims often rests partly on whether training was delivered.
Most organisations bundle anti-discrimination training with sexual harassment training, since the legal frameworks overlap.
Code of Conduct
Not legally mandated, but ubiquitous. Every Australian organisation of meaningful size has a code of conduct. Most introduce it at induction and refresh it periodically.
The code of conduct is where you operationalise the legal requirements above — translating “the law requires you to not harass colleagues” into “here’s what we expect of you at this organisation, and here’s what happens if you don’t meet that expectation.”
Cyber Security and Privacy
The Privacy Act 1988 (and the Notifiable Data Breaches scheme that sits within it) doesn’t mandate specific training, but does require organisations handling personal information to take “reasonable steps” to protect it. Training is universally treated as part of those reasonable steps.
For most organisations, this means cyber security awareness training delivered annually, covering phishing, password hygiene, data handling, and incident reporting. For organisations in regulated industries (financial services, healthcare, government), expect more rigorous, more frequent training.
Modern Slavery
The Modern Slavery Act 2018 applies to organisations with consolidated revenue over $100 million. It requires annual reporting on actions to address modern slavery risks in operations and supply chains. Training of relevant staff (procurement, supplier management) is part of standard practice.
Smaller organisations aren’t legally required to deliver this training, but increasingly do as a supplier-facing expectation.
The Industry-Specific Layer
Beyond the universal requirements above, several industries have their own mandatory compliance training.
Financial services — AML/CTF training (Anti-Money Laundering and Counter-Terrorism Financing), AFSL training, responsible lending, FAR (Financial Accountability Regime) training. These are mandated by AUSTRAC and ASIC respectively and have specific content, frequency, and record-keeping requirements.
Healthcare and aged care — mandatory training in infection control, hand hygiene, dementia care (for aged care), open disclosure, and various clinical skills. Aged Care Quality Standards drive the frequency and content.
Mining and construction — site-specific induction (including Blue Card / White Card / equivalent), high-risk work licences for specific tasks, contractor compliance training.
Education — child protection training (mandatory for all staff in any educational setting working with under-18s). Working with Children Checks are also required but they’re not training, they’re clearance.
Government — varies hugely by department. Most APS agencies have mandatory training in conduct, fraud control, security awareness, and information management.
This is not an exhaustive list. If you’re in a regulated industry, your industry body has guidance more specific to your sector than this post can be.
The Workplace Gender Equality Act (WGEA) Update
Worth flagging because it changed for 2026.
From 2026, employers with 500 or more staff must select three legislated gender equality targets over a three-year cycle — including at least one numeric target — under the Workplace Gender Equality Act 2012. Targets cover gender representation in leadership, pay gaps, and parental leave.
Failure to meet or demonstrate progress against targets risks public naming and loss of eligibility for Commonwealth procurement.
This isn’t training-specific, but it adds reporting infrastructure that intersects with how organisations think about equality, harassment prevention, and culture. Most organisations of this size are integrating WGEA reporting with broader compliance program management.
What “Compliant” Actually Looks Like
When we work with clients on compliance training, the conversation usually comes down to four practical questions:
1. Does the content cover what’s legally expected?
For sexual harassment training, that means: the positive duty, the legal definitions, the workplace’s specific reporting channels, manager-specific obligations. The AHRC has published guidance on what training should include. Most reputable vendors design to it.
2. Is every worker reached?
Including contractors. Including volunteers. Including casuals who might do one shift a year. The scope of “workers” under the Sex Discrimination Act and WHS legislation is broader than direct employees.
3. Are completions tracked and recorded?
This is the operational requirement that catches most organisations. You can have the best training in the country, but if you can’t demonstrate who completed it and when, the AHRC will treat it as not delivered. Your LMS records are your defence.
4. Is training refreshed at appropriate intervals?
Annual is the most common cadence. Two-yearly for content that doesn’t change quickly. Higher-frequency for high-risk industries or roles. One-and-done at induction is no longer defensible for any of these topics.
What This Means For Your Training Strategy
Three honest takeaways.
Compliance training is not a checkbox exercise anymore. The shift to the positive duty (and the WHS treatment of psychosocial hazards) means regulators are looking for active prevention, not just records of compliance. Training has to be designed to actually shift behaviour, not just deliver legally-required content.
Generic off-the-shelf courses have limits. Off-the-shelf training is fine for general awareness. For training that needs to be defensible under audit, you usually want content that reflects your organisation’s specific policies, reporting channels, and culture. Custom training (or heavily-tailored off-the-shelf) is increasingly the standard.
Compliance training is converging. Sexual harassment, anti-discrimination, WHS psychosocial, bullying prevention, code of conduct — these are increasingly treated as one connected program rather than separate modules. Organisations that design them as a coherent learning experience get better outcomes (and better audit defence) than organisations that bolt separate courses together.
A Final Caveat
Compliance regulations change. The positive duty was a major shift in 2022. NSW’s healthcare code of practice was a major shift in 2026. Something else will shift in 2027 or 2028. The training that’s compliant today may not be compliant in two years.
Whichever vendor you work with — including us — make sure they’re committed to keeping content current. Outdated compliance training is worse than no training in some respects: it gives the appearance of compliance without the substance.
If you need custom compliance training built, send us a brief — we work across all the major compliance topics and stay current on the regulatory landscape. If you have questions about whether your existing program meets requirements, ask a workplace relations lawyer first; we’ll defer to their advice on the legal questions.