Regulators do not knock on your door because you read the legislation wrong. They knock because something happened, and the file does not show that you knew what applied, who owned it, and how you controlled it.
This is where most QHSE legal compliance work falls apart. Not in the law itself. In the connection between the law and the daily work.
ISO 9001:2015, ISO 14001:2015 and ISO 45001:2018 all sit on Annex SL, and all three demand the same thing in the Planning clause. You determine the legal and other requirements that apply, you record them, you keep them current, and you take them into account when you plan how your business operates.
That is not paperwork. That is the line between a clean audit and a notice.
What ISO actually requires under “legal and other requirements”
ISO 14001:2015 Clause 6.1.3 and ISO 45001:2018 Clause 6.1.3 use the same language. You determine and have access to the compliance obligations related to your environmental aspects and your OH&S hazards. You determine how these apply. You take them into account in establishing, implementing, maintaining and continually improving the IMS.
ISO 9001:2015 carries the same idea through Clauses 4.2 (interested parties), 8.2.2 (determining requirements for products and services) and 8.4 (control of externally provided processes).
“Other requirements” is the part most businesses miss. It includes contractual obligations, principal contractor requirements, industry codes, certification scheme requirements, voluntary commitments, and client-specific QHSE standards that flow down through a tender or contract. If your client requires you to operate to AS/NZS ISO 31000:2018 for risk management, that is now an “other requirement” you must register.
The Australian legislation that actually applies to most QHSE clients
Every business has a different stack, but the foundation looks similar across construction, trades, manufacturing and education.
For health and safety, the Work Health and Safety Act 2011 (Cth) and its harmonised state mirrors set duty of care, consultation, incident notification and right of entry. The Work Health and Safety Regulation 2011 sets the operational detail: high risk work, plant, electrical, hazardous chemicals, manual tasks, asbestos. Safe Work Australia model Codes of Practice carry evidentiary weight under section 275 of the Act.
For environmental, the Environment Protection Act 1994 (Qld), Protection of the Environment Operations Act 1997 (NSW), Environment Protection Act 2017 (Vic), and equivalents in WA, SA, NT and Tasmania regulate noise, waste, water, air and contaminated land. The Environment Protection and Biodiversity Conservation Act 1999 (Cth) covers matters of national environmental significance.
For quality and consumer protection, the Australian Consumer Law under the Competition and Consumer Act 2010 (Cth) sets product safety and conformity obligations. The National Construction Code applies to construction work, with state-based building Acts on top.
Other commonly missed obligations include the Modern Slavery Act 2018 (Cth), Privacy Act 1988 (Cth), Fair Work Act 2009 (Cth), and the Building Code 2016 for federally funded construction work.
Where most QHSE legal compliance registers fail
Three failure modes turn up in nearly every audit.
The first is the static register. A spreadsheet built once at certification, then left untouched. Two years later the Hazardous Chemicals chapter of the WHS Regulation has been amended, the EPA has issued a new compliance code, and the register still cites the old version. The auditor opens the document, checks one date against the Federal Register of Legislation, and the gap is exposed.
The second is the register that names the law but does not link to a control. “WHS Act 2011 — comply” is not a control. The auditor wants to see the legislation, the specific clause or section that imposes the duty, the operational control that delivers compliance, the responsible position, the evidence of compliance, and the review date.
The third is the register owned by nobody. If “QHSE Manager” is the only owner against every line, the register will go stale. Specific duties under the WHS Act (section 27 officer duty, section 28 worker duty, section 19 PCBU duty) sit with different people. The register should reflect that.
How to build a legal register that actually holds up
Start with a register that has at least these columns: legal or other requirement, jurisdiction, specific clause or section, what it requires, how it applies to your business, operational control, control document reference, responsible position, evidence of compliance, last reviewed date, next review date, status.
Populate it in workshop format with the people who own the operational controls. The HR Manager owns Fair Work obligations. The Operations Manager owns the WHS Regulation chapters relevant to plant and high risk work. The Procurement Manager owns Modern Slavery and Australian Consumer Law obligations on supplier requirements.
Set a review frequency that matches the volatility of the area. Federal WHS is reviewed by Safe Work Australia on a published cycle. Environment law moves faster at state level. Industry codes change with each iteration. Quarterly review for high-volatility items, six-monthly for stable items, annually as a floor.
Link the register to your risk and opportunity register from Week 17. A legal requirement is not just a compliance line. It is a control source for the risks you have already identified.
Practical Application
For a Sunshine Coast civil contractor with 25 staff, the register would typically include the WHS Act 2011 (Qld) duties for PCBUs, officers and workers; WHS Regulation 2011 chapters on construction work (Chapter 6), high risk work (Chapter 4), plant (Chapter 5), hazardous chemicals (Chapter 7) and electrical (Chapter 4); the Environment Protection Act 1994 (Qld) for noise, water and waste; the Building Industry Fairness (Security of Payment) Act 2017 (Qld); the Queensland Building and Construction Commission Act 1991; and any principal contractor requirements flowing down through head contracts.
Each line in the register names the specific control: an SWMS for high risk construction work under Regulation 299, a hazardous chemicals register and SDS file under Chapter 7, a contaminated land management plan referenced to the EPA approval, a security of payment payment claim register, and so on.
This is the bridge between QHSE legal compliance and the day-to-day work. Without it, the IMS is a document set. With it, the IMS is a defensible operating system.
Conclusion
QHSE legal compliance does not get easier with more documents. It gets easier with one accurate register that names the law, the control, the owner and the evidence. Build that register, keep it current, and most of your compliance work is already done.
The MiSAFE All-in-One QHSE subscription includes configuration of your Legal and Compliance Obligations Register inside DS Site, with monitoring and review cycles built in, so the register stays current without becoming someone’s full-time job.
Download the Template
Download the MiSAFE Legal and Compliance Obligations Register for free.
Recent Comments