A digital logbook makes Legionella compliance feel safe. The readings go in, the dashboard turns green, and the dread of a missing paper folder seems to disappear. Then a tablet gets wiped, a software contract ends, or a supplier quietly shuts down, and the months of temperature checks, signed task records and remedial close-outs you can never recreate go with it.

That is the uncomfortable part of going digital. The records you most need in an audit or an incident review are exactly the ones you cannot reconstruct after the fact. You can re-walk a building; you cannot re-take last March’s hot-water readings. Backing up those records is not an IT chore bolted on at the end. It is part of being able to show control.

What follows is a routine for keeping that evidence recoverable, written for the person who would have to produce it.

Why a record you can’t produce is treated like a control you didn’t do

Under the Approved Code of Practice, duty holders are expected to keep records of the risk assessment, the written scheme of control, and the monitoring, inspection and remedial work that shows the scheme is being followed [1]. HSG274 frames the same expectation in technical terms: the evidence of control has to exist and be retrievable [2]. The HSE is plain about the duty to keep records and make them available on request [3].

An inspector, an insurer or an incident investigation does not grade good intentions. They look at what you can put in front of them. If the data is gone, corrupted, locked behind a dead login, or stranded in a format nobody can open, your position is no better than if the checks had never been done. Some of these records carry a multi-year retention expectation, so the window in which you must be able to recover them is long, not a few weeks.

Where digital records actually disappear

Paper had obvious failure modes: fire, flood, a skip. The digital ones are quieter, and most teams have never thought them through.

  • The single device. Readings live in an app on one engineer’s phone, or a spreadsheet on one laptop. Lose, wipe or replace the device and the only copy goes with it.
  • The “cloud backs itself up” assumption. A software provider replicates its own infrastructure for its own uptime, which is not the same as you holding a recoverable copy. If your account lapses, a payment fails, or you fall into a billing dispute, access can be switched off with your data still inside.
  • Sync is not backup. A folder that syncs to the cloud copies your mistakes too. An accidental deletion or an overwrite propagates to every synced copy in seconds, and ransomware does the same.
  • Vendor lock-in. When you change provider, or the provider is acquired or folds, can you get the full history out in a form you can still read? An export you cannot open without the original software is barely a backup at all.
  • The contractor holds everything. If your monitoring data lives only on a service provider’s platform, the end of that contract can be the end of your access. Who owns the data, and how you retrieve it, needs settling before the relationship ends, not during the argument.

A backup routine that holds up

You do not need an enterprise data strategy. You need a small, repeatable routine and the discipline to run it. Group it like this.

Know where the master copy lives

  • Write down the system of record for each site: the one place the authoritative data sits.
  • Note who can reach it and how, so a single departure or password reset never strands the records.

Keep more than one copy, in more than one place

  • Hold at least two copies of the data, and keep at least one of them off the live platform: a separate cloud account, an organisation file store, or encrypted local storage.
  • Schedule a regular export rather than trusting the live system alone. Monthly is a sensible starting point for active monitoring data.

Export into formats that outlive the software

  • Export signed and closed-out evidence as PDF, and raw readings as CSV, so the records stay human-readable without the original app.
  • Avoid a backup that exists only in a supplier’s proprietary format you cannot open anywhere else.

Protect against deletion, not just disaster

  • Use versioned or point-in-time backups so you can recover yesterday’s data after an accidental change, not only after a crash.
  • Confirm the live system keeps an audit trail of edits and deletions.

Cover the full retention window

  • Make sure your backups reach as far back as your scheme and L8 require records to be kept, not just the current year.

Settle ownership and access in writing

  • Get a data-ownership and exit clause into the contract with any software or monitoring provider: what you receive when the contract ends, in what format, and within what timescale.

Make the backup itself auditable

Two habits turn this from a checklist into a defensible arrangement.

First, record the backup itself the way you record any other control: who runs the export, how often, where the copies sit, and who last checked it. An inspector who sees you have planned for losing your records will draw the obvious conclusion about the rest. Security sits alongside this; Data security and privacy in digital logbooks covers the controls that keep those copies private as well as recoverable, and where the master copy should sit in the first place is its own decision, weighed in Cloud vs on-premise: where to host your Legionella data.

Second, test a restore. A backup you have never opened is a guess. Take last month’s export, open it on a different machine, and check that a signed task record is still legible and a temperature log still adds up. Do that once a quarter and you find the format problems while they are cheap to fix, not in the middle of an investigation.

The part most teams skip

Almost everyone exports something eventually. Far fewer ever try to read it back, and fewer still have an exit clause that guarantees they can. The restore test and the contract clause separate a real backup from a comforting habit, and both get postponed because nothing has gone wrong yet. If you have never opened one of your own exports, start there this week: pull last month’s data, open it somewhere other than the live system, and confirm a signed record is still readable. Whatever you find is your real backup position.

Before you rely on any of this

This is general guidance, not IT policy, legal advice or a data-protection assessment. Backup frequency, acceptable formats and how long each record is held should be agreed with your competent Legionella adviser and whoever owns information governance and IT for the site. Your risk assessment and written scheme decide what has to be kept and for how long, so treat the timings here as a starting point to confirm, including against L8’s retention expectations, rather than fixed rules.

FAQ

If our records are in a cloud logbook, do we still need our own backup?

Yes. A provider’s resilience protects its service, not your ability to retrieve a usable copy if the account lapses, the company folds, or someone deletes data that then syncs away. An independent export you control closes that gap.

What file format should we export Legionella records into?

Open, durable, human-readable ones: PDF for signed and closed-out evidence, CSV for raw readings. The test is simple. Could you still open and understand the file in several years without the original software? If not, it is not a safe backup format. Long-term storage is worth planning deliberately, which Archiving Legionella records for long-term access goes into.

Who owns the data if we switch monitoring contractors?

That depends entirely on what your contract says, which is why it needs an explicit data-ownership and exit clause. Agree before signing that the full history is yours, in an open format, returned within a set timescale when the contract ends.

Sources

[1] HSE, “Legionnaires’ disease. The control of legionella bacteria in water systems — Approved Code of Practice and guidance (L8)”. https://www.hse.gov.uk/pubns/books/l8.htm [2] HSE, “Legionnaires’ disease: Technical guidance (HSG274)”. https://www.hse.gov.uk/pubns/books/hsg274.htm [3] HSE, “Legionnaires’ disease — what you must do”. https://www.hse.gov.uk/legionnaires/what-you-must-do/index.htm