Section 180 of the Aged Care Act 2024: what personal liability means for directors and CEOs

The Aged Care Act 2024 commenced on 1 November 2025. It implements around 60 of the Royal Commission's recommendations and represents the biggest shift in Australian aged care governance since 1997. For directors, CEOs, and senior managers of approved providers, the most consequential change is Section 180: personal civil liability of up to $165,000 for individuals whose conduct exposes a person under care to death or serious injury.

This is not a refinement of existing duties. It is a new mechanism. The historical pattern, where penalties almost always landed on the corporate entity, ends here. Under Section 180, responsible persons can be held personally accountable, with civil penalties payable from personal assets. Some directors and officers (D&O) policies written before 2024 do not cover these civil penalties at all.

This article covers who counts as a "responsible person" under the new Act, what conduct triggers Section 180 exposure, the two penalty tiers, how Section 180 works alongside the Section 179 provider duty, and the five governance changes boards and CEOs should make now.

Who counts as a "responsible person"

The Aged Care Act 2024 defines "responsible person" broadly. The category includes directors of approved providers, chief executive officers, senior managers who hold operational control over service delivery, key personnel as defined under the Act and supporting Rules, and any other individual who has authority or significant influence over planning, directing, or controlling the activities of the provider.

The breadth is intentional. The Royal Commission recommended that governance accountability extend beyond the legal entity to the individuals making the substantive decisions. Section 180 implements that recommendation. It captures formal directors. It also captures anyone whose decisions materially shape how care is delivered.

In practice, several roles are likely caught:

• Members of the board of an approved provider
• The CEO or equivalent senior executive
• Chief Operating Officers and General Managers with operational accountability
• Heads of Clinical Governance or equivalent
• Some senior clinical and nursing leadership, depending on their role in governance arrangements
• Key personnel as defined under the Aged Care Rules 2025

The treatment of fixed-term and contracted senior personnel is still being tested. A fixed-term clinical consultant who advises on governance but holds no formal role may not be caught. A fractional CFO or interim CEO with operational decision-making authority almost certainly is. Where the role carries material influence over how the provider operates, assume Section 180 applies.

For consortium providers and joint ventures, the calculus is more complex. A director sitting on the board of an approved provider entity is captured by that role, even if their primary appointment is elsewhere. Each separate board appointment carries its own Section 180 exposure.

Brief these individuals on their exposure at engagement, not after an incident.

What Section 180 actually says

Section 180 sits in Part 5, Division 1 of the Aged Care Act 2024. It imposes a duty on certain responsible persons to exercise due diligence to ensure that the registered provider complies with its duty under Section 179.

This is the operative chain. Section 179 makes the provider accountable for ensuring delivery of safe and quality care. Section 180 holds responsible persons personally accountable for ensuring the provider lives up to that duty.

The penalty structure has two tiers, summarised below and explained in detail underneath.

Tier 1: 500 penalty units

The first tier applies where the responsible person's conduct results in death or serious injury or illness to a person under the provider's care. The federal penalty unit value is $330, in effect since 7 November 2024, with the next indexation scheduled for 1 July 2026. At $330 per unit, 500 units is $165,000. Confirm the current unit value before relying on the dollar figure in any document of record.

This is the most serious tier. It requires both a causal link between the responsible person's conduct (typically a governance failure rather than a direct clinical act) and the harm event, and a failure of due diligence on the responsible person's part.

Tier 2: 150 penalty units

The second tier captures "serious failures": conduct that exposes a person under care to a risk of death or serious injury or illness, where the conduct involves a significant or systemic failure rather than an isolated mistake.

The threshold distinction matters. A one-off lapse in judgement is unlikely to trigger Tier 2. A pattern of governance neglect that creates a generalised risk environment can, even where no specific harm has yet occurred.

Both tiers are civil penalties, not criminal. The previous regime included criminal sanctions for certain duty breaches. The new Act removes those criminal sanctions and replaces them with these civil mechanisms (a deliberate concession that emerged through the parliamentary process). Civil penalties are imposed through Federal Court proceedings.

The Aged Care Quality and Safety Commissioner is the primary enforcement agency. Section 180 proceedings target governance failures that contribute to serious incidents, not only direct clinical wrongdoing.

What triggers exposure

Section 180 captures conduct that demonstrates a failure of due diligence. The most likely fact patterns:

• Failure to exercise due diligence to ensure the provider complies with its duty under Section 179
• Failure to maintain proper governance arrangements over quality and safety
• Failure to act on identified risks of harm to care recipients
• Failure to comply with statutory notification obligations, including SIRS reporting

The "exposure to risk" threshold under Tier 2 is significant. A responsible person can face liability even where no specific harm has materialised, provided the conduct exposed a person to risk and involved significant or systemic failure. This shifts the timing of accountability earlier in the failure cycle.

In governance terms, this means board members cannot rely on the absence of an actual incident to demonstrate due diligence. Documentation of risk awareness, escalation, and action becomes the primary evidence of due diligence performed, regardless of whether a triggering event ever occurs.

Common patterns that may trigger exposure include:

• Repeated escalations of clinical risk that are not actioned at board level
• Patterns of SIRS reports that suggest systemic rather than isolated causes
• Workforce shortages flagged in board papers but not resourced
• Outdated policies that remain in force despite known regulatory change
• Compliance findings from prior audits that are not addressed before the next audit

In practice, this means the threshold turns on whether the conduct created an environment where serious incidents became predictable, not on whether any single event could have been foreseen on the day.

How Section 179 and Section 180 work together

Section 179 imposes the registered provider's duty to ensure safe and quality care delivery. Section 180 imposes the responsible person's duty to exercise due diligence to ensure the provider complies. The two operate in parallel.

A single failure event can trigger both provider liability under Section 179 and personal liability under Section 180.

The Act includes several provisions clarifying the relationship:

• The duty is not transferrable. A responsible person cannot delegate liability to another individual or to the provider.
• More than one entity may hold the duty. A failure that results in penalties under both Section 179 (against the provider) and Section 180 (against one or more responsible persons) is contemplated by the Act.
• More than one responsible person can hold the duty simultaneously. Board members are not co-defendants for the same singular duty; each has an individual due-diligence obligation.
• State and Territory laws (such as Work Health and Safety obligations) continue to apply concurrently. Multi-jurisdictional exposure for a single incident is possible.

This architecture means that a single Section 180 enforcement action does not preclude others. A failure that involves the board, the CEO, and a senior clinical leader could result in three separate personal civil penalty proceedings, each requiring independent due-diligence evidence from the individual concerned.

What boards and CEOs should do now

Five governance changes are worth making in the next quarter.

1. Review D&O insurance coverage

Many D&O liability policies written before 2024 do not explicitly cover civil penalties under the Aged Care Act 2024. Some exclude regulatory penalties entirely; others cover defence costs but not the penalty. Confirm with your broker whether your policy covers civil penalties under the new Act, and whether the cover extends to all responsible persons rather than only formal directors.

Where the policy does not cover, ask the broker about an extension or moving carriers. Older policies still in force may need a negotiated extension to bring them within the new exposure.

2. Make quality and safety a standing board agenda item

Quality and safety should appear on every board meeting agenda, with named risks, named mitigation actions, and named owners. The minutes should record what was discussed and decided. Absent or generic minutes are not evidence of due diligence under Section 180.

Specific items to capture in minutes:

• Each risk discussed, by name
• The action proposed and who is accountable
• The timeline for re-reporting on progress
• Any questions raised by directors and the responses given

3. Document the risk escalation pathway

Map the path that a frontline clinical risk follows to reach board awareness. If a serious risk identified by a clinical lead would take four or more reporting layers to reach the board, the path is too long. Shorten it, and document the shortened path.

A short escalation path is evidence of governance working. A long one is evidence of structural risk.

4. Maintain individual due-diligence records

Each responsible person should keep a personal record of governance training completed, risks they were briefed on, decisions they made, and questions they asked. These records become the evidence base for a due-diligence defence under Section 180.

The record does not need to be elaborate. A board portal that tracks attendance, papers reviewed, and decisions taken can serve as the basis. The key is consistency. A director who only sometimes documents their engagement provides patchy evidence.

5. Brief incoming directors on Section 180 exposure

New directors should be briefed on Section 180 exposure during onboarding, not in a footnote on day one. Treat the briefing as substantive, document it, and update the briefing materials annually.

The briefing should cover the responsible person definition, the penalty tiers, the governance pathway expected of board members, and the relationship between provider and personal liability.

What is still unresolved

Three aspects of Section 180 remain to be tested through Commission practice and case law. Until they are settled, take the cautious read.

Fixed-term and contract personnel. Whether a senior clinical consultant in a fixed-term engagement falls within the responsible person definition is not fully tested. Treat any senior advisor with material decision-making authority as if they are covered.

The "significant or systemic" threshold for Tier 2. The line between an isolated lapse and a systemic failure will be drawn through early enforcement decisions and any guidance the Commission publishes. Until that line is clearer, treat any sustained pattern of governance lapses as potentially in scope.

Concurrent state and territory duties. Section 180 sits alongside state-based statutory duties (such as Work Health and Safety duties). Multi-jurisdictional exposure for a single incident is possible. Read the interaction carefully with counsel.