Australian HR has always operated in a tangle of awards, legislation and shifting regulatory expectations. But 2026 is different. Several changes are landing at once, each reinforcing the others, each raising the stakes if you get caught on the back foot.
- Criminal penalties for wage theft are now being actively enforced
- The biggest change to superannuation payment since compulsory super began takes effect on 1 July
- Psychosocial hazard management is a compliance obligation with teeth
- Privacy law is catching up with AI
- And the positive duty to prevent sexual harassment means the regulator can now walk through your door uninvited.
Together, they demand something most Australian businesses haven't built yet: a compliance infrastructure that's proactive, documented and continuously reviewed.
This guide breaks down the 10 HR compliance risks Australian employers need to take seriously in 2026 ⬇️
1. Payday Super
From 1 July 2026, the way employers pay superannuation changes fundamentally. Under the Treasury Laws Amendment (Payday Superannuation) Act 2025, super guarantee (SG) contributions must be paid at the same time as wages – not quarterly.
What this means in practice
Contributions must reach the employee's super fund within seven business days of each payday (20 business days for a new employee's first contribution).
SG is now calculated as 12% of "qualifying earnings" (QE) – a new term that replaces ordinary time earnings and includes salary sacrifice amounts. The ATO's Small Business Superannuation Clearing House closes permanently on 1 July 2026, so every employer using it needs to migrate to an alternative clearing house before that date.
Why this risk is bigger than it looks
The Super Guarantee Charge (SGC) now applies per payday, not quarterly. Penalties range from 25% to 50% of the unpaid amount, with a maximum of 200% of the SGC – and critically, the SGC is not tax-deductible. The ATO has released Practical Compliance Guideline PCG 2026/1 outlining a first-year compliance approach with low, medium and high-risk zones. They'll be matching Single Touch Payroll data with fund reporting in real time, which means late payments will be visible almost immediately.
Treasury has acknowledged that many SMEs historically used quarterly super as a cash-flow buffer. That buffer is gone. More than one in five SMEs could struggle with the cash-flow impact, and Treasury itself has warned the regime may trigger a wave of insolvencies among businesses that relied on the "super float."
Who's most exposed
Hospitality, retail and construction businesses with irregular cash flow and large casual workforces. Directors relying on Safe Harbour protections should note that non-compliance with Payday Super may disqualify them.
What to do now
- Confirm your payroll system can process SG on every pay run (not just quarterly)
- Transition away from the ATO's clearing house before 30 June 2026
- Build cash-flow forecasts that model fortnightly or weekly super outflows
- Communicate the change to employees – they'll see contributions appearing more frequently and will have questions
2. Criminal Wage Theft
Since 1 January 2025, intentional wage underpayment has been a criminal offence under the Fair Work Act 2009. 2026 is the first full calendar year of active enforcement, and the Fair Work Ombudsman (FWO) is investigating.
The penalties are severe. Companies face fines of the greater of three times the underpayment or $8.25 million. Individuals (including directors and senior managers) face up to 10 years' imprisonment and/or fines of up to $1.65 million. Civil penalties for non-small business employers have also increased, reaching up to $495,000 per contravention or $4.95 million for serious contraventions.
The offence catches intentional underpayment of wages, super contributions, redundancy pay, leave payments, overtime, penalty rates, allowances and leave loading.
What this means for small businesses
The Voluntary Small Business Wage Compliance Code provides employers with fewer than 15 employees a pathway to avoid criminal prosecution, provided they demonstrate genuine compliance efforts. Employers of any size can enter into cooperation agreements by self-reporting.
What to do now
- Conduct a comprehensive payroll audit against all applicable awards and agreements
- Train HR and payroll teams on the criminal implications of sustained underpayment
- Treat this as a board-level governance issue – directors carry personal liability
- If you find discrepancies, self-report and remediate promptly (the FWO has signalled that proactive action is treated favourably)
3. Psychosocial Hazards
According to HiBob research published in February 2026, only 10% of Australian organisations have completed a formal psychosocial risk assessment. Yet psychosocial risk management is now a legal compliance requirement – not a wellbeing programme – across nearly every state and territory.
5 regulations to know
- The national Code of Practice on Managing Psychosocial Hazards at Work is in effect
- Victoria's OHS (Psychological Health) Regulations 2025 took effect on 1 December 2025, explicitly restricting training as a primary control measure
- NSW's WHS Regulation 2025 mandates the hierarchy of controls for psychosocial risks
- Queensland now requires written sexual harassment prevention plans
- WHS penalties are indexed annually, meaning fines increase every year
The defined hazards employers must manage include bullying, harassment, excessive workload, lack of autonomy, poor workplace relationships, job insecurity, exposure to traumatic events, fatigue, intrusive surveillance and remote work isolation.
A paradox of HR burnout
The same HiBob research found that 57% of HR professionals report having no energy left for their own wellbeing after supporting others, and 61% feel they're expected to solve every internal problem. The people responsible for psychosocial compliance are themselves the most at risk of psychosocial harm.
Sector-specific considerations
Healthcare and emergency services face heightened obligations around traumatic exposure. Construction and mining industries must address fatigue management. Professional services and tech companies need to scrutinise workload intensity and always-on culture, particularly in the context of right-to-disconnect obligations.
What to do now
- Conduct a formal psychosocial risk assessment in consultation with workers
- Implement controls using the hierarchy of controls, not just training
- Document every step: the assessment, the controls chosen, the review schedule
- Ensure leadership owns psychosocial safety, it cannot sit with HR alone
4. The Right to Disconnect
The right to disconnect now applies to every employer in Australia, including small businesses with fewer than 15 employees (from 26 August 2025). It's a protected right under the Fair Work Act and has been embedded in all modern awards.
Employees can refuse to monitor, read or respond to work-related contact outside their working hours, unless the refusal is unreasonable. This covers contact from employers and third parties (clients, suppliers, customers) across all channels: calls, emails, texts, social media and messaging apps.
Enforcement
Employers face fines of up to approximately $93,000. The Fair Work Commission must handle applications within 14 days and can issue stop orders. Adverse action protections apply, meaning a reverse onus of proof sits with the employer and damages are uncapped. There's no reported case law yet as of early 2026, which makes this an area of significant legal ambiguity.
A hidden payroll risk
If out-of-hours contact constitutes directed or required overtime, it could trigger additional payment obligations under the applicable award — which loops right back into the wage theft provisions discussed above.
Sector-specific challenges
Businesses operating across Australian time zones (particularly WA and eastern states during daylight savings) face genuine operational complications. Emergency services, healthcare and on-call roles need particularly clear policies distinguishing reasonable from unreasonable contact.
What to do now
- Draft or update an out-of-hours contact policy tailored to each role's requirements
- Have documented conversations with employees about expectations
- Review on-call arrangements and ensure they're reflected in contracts and pay
- Ensure payroll can capture any work performed outside normal hours
5. Gender Equality Targets
Australia is, remarkably, the first country in the world to mandate gender equality target-setting for large employers. From 1 April 2026 (private sector) and 1 September 2026 (public sector), employers with 500 or more employees must select, report on and work towards specific targets through the Workplace Gender Equality Agency (WGEA).
Employers must choose three targets from a menu of 9 numeric and 10 action-oriented options – at least one must be numeric (such as achieving a specific percentage of female representation or reducing the pay gap to a defined figure). These operate on three-year cycles, and progress will be published publicly on the WGEA website.
Consequences of non-compliance
Employers who fail to set targets without a reasonable excuse may be publicly named by WGEA. Non-compliance also renders an employer ineligible to tender for Australian Government contracts – a material commercial consequence for many large organisations.
Approximately 2,000 employers covering 3.9 million employees are affected. WGEA data indicates that 56% of covered companies have already set some form of gender equality targets.
What to do now
- Conduct a comprehensive gender pay gap analysis before selecting targets
- Choose targets that are achievable within three years but demonstrate genuine ambition
- Establish data tracking systems now – baseline data comes from 2024 reporting
- Private sector employers must declare targets between 1 April and 31 May 2026
6. The Positive Duty to Prevent Sexual Harassment
Every Australian employer (regardless of size or industry) now has a positive duty under the Sex Discrimination Act 1984 to take proactive steps to eliminate workplace sexual harassment, sex-based harassment, sex discrimination, hostile work environments and related victimisation. This isn't new legislation (it commenced in December 2022), but the enforcement powers are. The Australian Human Rights Commission (AHRC) can now commence inquiries into suspected non-compliance without the employer's consent.
A dual regulation risk
Sexual harassment is now simultaneously treated as a psychosocial hazard under WHS laws, meaning employers could face parallel scrutiny from the AHRC and state/territory WHS regulators. In Queensland, employers must have a written sexual harassment prevention plan.
The AHRC expects organisations to meet seven compliance standards: leadership and culture; knowledge; risk management; support; reporting and response; data collection and analysis; and monitoring, evaluation and transparency. This is not a "set and forget" exercise — annual review is expected.
What to do now
- Conduct a sexual harassment risk assessment specific to your workplace
- Ensure multiple reporting channels exist, including anonymous options
- Provide regular, role-specific training (not just an annual e-learning module)
- Document board and leadership engagement with the positive duty
- Review annually and record the review process
7. Worker Misclassification and Sham Contracting
The Closing Loopholes amendments introduced the "whole of relationship" test for worker classification, effective from 26 August 2024. Courts now look at how the contract is actually performed in practice, not just what the paperwork says.
This matters enormously in 2026 because the consequences of getting classification wrong are compounding. If a worker classified as a contractor is actually an employee, you're now liable for back payments of all entitlements (leave, super, penalty rates), and from 1 July 2026, superannuation liabilities carry the amplified penalties of the Payday Super regime. If misclassification is deemed intentional, it could constitute sham contracting (which is illegal) or even wage theft under the criminal provisions.
Casual conversion
The NES now provides an "employee choice pathway" allowing casuals to request permanent employment after six months (for employers with 15+ employees) or 12 months (smaller employers).
Sector-specific risks
The construction, transport and IT sectors have historically high rates of contractor engagement and are particularly exposed. Retail and hospitality face risks around casual classification, where workers with regular patterns may no longer meet the legal definition of "casual."
What to do now
- Review every contractor and casual arrangement against the whole-of-relationship test
- Don't rely on labels — assess how work is actually performed
- Reassess arrangements periodically (a relationship that starts as genuine contracting can evolve into employment over time)
- Budget for potential reclassification costs, including retrospective super liabilities
8. Employee Data Privacy, AI and Automated Decision-Making
This is the compliance risk that's moving fastest and where most employers are least prepared. Several regulatory threads are converging.
From 10 December 2026, businesses must legally disclose which decisions they make through automated means and what personal information feeds into those decisions. For HR teams using AI in recruitment screening, performance evaluation or workforce analytics, this is a direct obligation.
The employee records exemption under the Privacy Act is being narrowed through recent OAIC determinations, which have applied a strict interpretation limiting the exemption to actions with a precise connection to the employment relationship. The OAIC has launched its first-ever compliance sweep of businesses' privacy policies in early 2026, and enforcement powers now include fines of up to $50 million for significant breaches.
The AI governance picture
Australia's National AI Plan (December 2025) confirmed the government will manage AI through existing legislation rather than a standalone AI Act. However, a parliamentary inquiry has recommended classifying all AI systems used for employment purposes – recruitment, hiring, promotion, remuneration, termination – as "high-risk." A bill addressing digital work systems in the workplace is anticipated during 2026.
Facial recognition technology has already attracted penalties (the Bunnings and Kmart cases involved OAIC determinations regarding in-store facial recognition).
What to do now
- Audit every automated decision-making process touching HR
- Prepare privacy policy updates disclosing AI/ADM use by December 2026
- Ensure all AI recruitment and performance tools have documented human oversight
- Assess third-party AI vendors against Australian Privacy Principles
- Train HR staff on privacy obligations related to new technologies
9. Award Misinterpretation and Record-Keeping Failures
Australia's modern award system is one of the most complex industrial frameworks in the world, with over 120 modern awards covering different industries and occupations, each with distinct pay rates, allowances, overtime provisions, penalty rates and classification structures. Misinterpreting which award applies, or applying the wrong classification within the right award, remains one of the most common sources of underpayment – and underpayment now carries criminal penalties.
Record-keeping amplifies the risk. The Fair Work Act requires employers to maintain employee records for seven years. If you can't produce records during a dispute, the burden of proof shifts to the employer. Record-keeping failures can also contribute to a finding of "serious contravention" under wage theft laws.
With Payday Super adding per-pay-cycle superannuation records, psychosocial risk assessments requiring documentation, and gender equality data requiring annual tracking, the documentation burden in 2026 is heavier than it's ever been.
What to do now
- Audit award coverage and employee classifications at least annually
- Invest in payroll and HR systems that automate record-keeping and flag discrepancies
- Ensure payslips are accurate and issued within one working day
- Maintain psychosocial risk assessment documentation, WHS incident records and gender equality data in a single, accessible system
10. Expanded Parental Leave and the NES Review
From 1 July 2026, eligible parents can access up to 26 weeks of government-funded Paid Parental Leave (up from 24 weeks in 2025–26). Four weeks are reserved for each parent on a "use it or lose it" basis. The government also pays 12% superannuation on PPL (from July 2025).
Alongside this, the first comprehensive review of the National Employment Standards (NES) since the Fair Work Act commenced in 2009 is underway. It could result in changes to leave entitlements, maximum hours, redundancy rules and flexible working arrangements. Potential changes include the removal of the small-business redundancy exemption and adjustments for job losses caused by technological change.
The operational reality
For small businesses where a single absence represents 10% or more of the workforce, 26 weeks of parental leave presents a genuine resourcing challenge. Many small employers still don't have formal parental leave policies. The Fair Work Commission has found that failing to consult with an employee on parental leave during restructuring can constitute unfair dismissal.
What to do now
- Update parental leave policies to reflect the 26-week entitlement from 1 July 2026
- Plan coverage arrangements for extended leave periods
- Ensure return-to-work processes comply with the Fair Work Act's job guarantee provisions
- Monitor the NES review – further changes could land mid-cycle
HR Compliance Risk Assessment Checklist: 2026
Use this checklist to assess where your organisation stands across each risk area. Score each item as compliant, in progress or not started.
Payroll and superannuation
- Payroll system confirmed capable of processing SG on every pay run
- Alternative clearing house selected and tested (SBSCH migration complete)
- Cash-flow forecast updated for per-payday super outflows
- Employee communications prepared regarding Payday Super
Wage compliance
- Full payroll audit conducted against applicable awards/agreements
- Award coverage and employee classifications reviewed within the past 12 months
- Board/leadership briefed on criminal wage theft provisions
- Process in place for self-reporting and remediation of underpayments
Psychosocial safety
- Formal psychosocial risk assessment completed (with worker consultation)
- Controls implemented using the hierarchy of controls (not training alone)
- All assessments and controls documented with review dates set
- Leadership accountability for psychosocial safety formalised
Right to disconnect
- Out-of-hours contact policy drafted and communicated
- Role-specific expectations documented
- On-call arrangements reviewed and reflected in contracts and pay
- Payroll system can capture out-of-hours work
Gender equality (500+ employees)
- Gender pay gap analysis completed
- Three targets selected from WGEA menu (at least one numeric)
- Data tracking systems established for gender equality metrics
- Baseline data confirmed from 2024 reporting period
Sexual harassment positive duty
- Workplace-specific risk assessment completed
- Respectful workplace behaviour policy in place and communicated
- Multiple reporting channels available (including anonymous)
- Annual review process documented
Worker classification
- All contractor arrangements reviewed against whole-of-relationship test
- Casual employees assessed for employee choice pathway eligibility
- Independent contractor agreements updated
- Retrospective liability exposure estimated
Data privacy and AI
- All automated decision-making processes in HR audited
- Privacy policy updates in train for ADM disclosure (deadline: 10 December 2026)
- AI tools assessed for bias and documented human oversight
- Third-party AI vendor privacy compliance verified
Record-keeping
- Employee records complete and accessible for past seven years
- Payslips accurate and issued within one working day
- Psychosocial, WHS and gender equality documentation centralised
- Per-pay-cycle super records ready for Payday Super
Leave and NES compliance
- Parental leave policies updated for 26-week entitlement (from 1 July 2026)
- Coverage plans in place for extended leave periods
- Return-to-work processes documented and compliant
- NES review being monitored for further changes
Final Thoughts
There's a tempting narrative that compliance is about avoiding penalties. And yes, the penalty regime in 2026 is more punitive than it's ever been: criminal prosecution for wage theft, escalating SGC penalties under Payday Super, AHRC inquiries without consent, OAIC fines reaching $50 million.
But the cost of getting compliance wrong is measured in the trust of the people who work for you. Every one of these 10 risks – from psychosocial safety to the right to disconnect, from award interpretation to gender equality targets – exists because Australian law has decided that the way people are treated at work matters enough to enforce.
The compliance infrastructure you build now isn't just protection. It's the foundation of the employer you actually want to be.
Looking for more practical HR guidance?
Visit the Subscribe-HR blog for expert insights on workplace compliance, talent management strategies, and evidence-based approaches to building high-performing, inclusive teams across Australia and New Zealand. 🙌
