Data security and privacy in digital logbooks

A water-hygiene logbook used to be a ring binder in a plant room. The security model was a lock and a signature. Move the same records into an app and a supplier’s cloud, and you are suddenly responsible for two very different things at once: a body of compliance evidence that an HSE inspector or an insurer can demand, and a store of personal data - names, signatures, user IDs, contractor details, sometimes information that points straight at the people who live in the building.

Get the security wrong and a single mistake can fail you on both fronts. A logbook anyone can quietly edit is no longer trustworthy evidence. A logbook left open to the whole maintenance team is a data-protection complaint waiting to happen. The reassuring part is that the controls serving one job mostly serve the other.

Two regulated jobs sharing one login

L8 expects duty holders to keep records of the precautions taken, the monitoring carried out, and the management arrangements behind them [1]. HSG274 fills in what those records should actually show - temperatures, inspections, cleaning, sampling, and what was done when a result fell outside the expected range [2]. None of that changes because the binder became an app. The bar is identical; the ways it can break are new.

So digital logbook security comes down to a blunter question than the dashboards suggest: would this record still stand up if someone wanted it to lie? That single test sorts genuine systems of record from convenient ones.

The audit trail is the whole point

The reason a digital log can beat paper is attribution. A good system stamps every entry with who made it, when, and against which asset - and when something is later corrected it keeps the original, with the change visible rather than overwritten. That audit-trail integrity is what lets you stand in front of an inspector and say not just “the temperature was in range” but “here is who took it, when, and proof nobody touched it afterwards.”

A system that lets any user silently change a past reading is worse than the binder it replaced, because it carries an air of authority it has not earned. When you assess a product, try to edit a closed record and watch what happens. If the change leaves no trace, walk away. Tamper-evident records are the feature you are actually buying.

Attribution only works if logins are not shared. One “engineer1” account used by six people destroys the advantage you paid for. Proper access control - separate rights to view, complete a task, sign off, and administer - should mean a missed flush traces to a named person and a corrected reading to whoever corrected it. Tie that role-based access control to your written scheme so the people allowed to sign things off are the people the scheme says are competent to.

It is also personal data you are accountable for

The moment names, signatures and login records go into the system, UK data protection law applies - the UK GDPR and the Data Protection Act 2018, overseen by the ICO. This is not Legionella guidance, and it is not something to take from a blog: if you hold staff or resident data at any scale, get the position checked by whoever owns data protection in your organisation. A few principles are worth carrying into that conversation.

Collect what the control scheme needs and little else. A temperature reading needs an asset, a time, a result and an accountable person; it rarely needs anyone’s home address. Care settings raise the stakes - a log that records which room was flushed, which was skipped, and on whose watch can become information about identifiable, vulnerable people, so access there deserves more thought, not less (a companion guide covers the wider care-home picture).

Decide who can read the records, not only who can write them. The contractor servicing your calorifiers does not need to browse three years of staff sign-offs to do the job. And be ready for the day an employee asks what the system holds about them; a subject access request is far easier to answer when access and retention were designed in rather than bolted on.

Keeping records long enough, but not forever

Here is the real tension. Compliance pushes you to retain: L8 sets retention expectations, and the period depends on the type of record [1] - confirm the exact figures for your monitoring and inspection records rather than guessing. Data protection pulls the other way, because you should not hold personal data longer than you can justify.

The resolution is usually to keep the compliance evidence for its required life while being deliberate about the personal data wrapped around it. Settle the record retention rule, write it down, and make sure the platform can actually enforce it instead of hoarding everything by default.

What happens if the supplier disappears

Your records have to outlive your software contract. If the provider hikes its price, gets acquired, or simply folds, you still need to produce years of evidence on demand. Three questions cover most of the risk. Can you export the full history - readings, photos, audit trail and all - in a usable format, on your own schedule? Where is the data hosted, and who else can reach it? And if the platform is offline the morning an inspector turns up, can you still get at the records?

Accountability never travels with the data. Outsourcing the storage to a vendor, or the tasks to a contractor, does not move the legal duty off the duty holder [3]. You remain responsible for records held on your behalf, which means the contract - not a verbal assurance - should spell out export, deletion, breach notification, and what happens to your data when the relationship ends.

A security check before you sign

Run any digital logbook through these before it becomes your system of record. Work down the groups and write the answers into the procurement file.

Evidence integrity

• Confirm every entry captures who, when, which asset and the result automatically.
• Try to alter a closed record, and verify the change is logged, attributed, and reversible to the original.
• Check that exceptions and remedial actions sit against the task, not buried in a separate note.

Access and accountability

• Insist on individual logins, and ban shared accounts in your own policy.
• Map system roles (view / complete / sign-off / admin) onto your written scheme.
• Confirm you can see, and limit, who can read records as well as who can edit them.

Personal data

• List what personal data the system collects and strip out what the scheme does not need.
• Set a retention rule that satisfies both record-keeping and data-protection duties, and check the platform enforces it.
• Get your data protection lead to sign off the arrangement before go-live.

Continuity

• Test a full export of history and audit trail in a format you can open without the vendor.
• Pin down hosting location, sub-processors and breach-notification terms in the contract.
• Confirm you can retrieve records if the platform is down or the supplier ceases trading.

Where this guidance stops

This is general guidance on running a secure digital record. It is not legal advice and not a substitute for your own data-protection obligations. The right retention periods, access rules and contract terms depend on your organisation, your software, and the people whose data you hold - set them through competent advice and a current, site-specific risk assessment. When two duties seem to pull against each other, the safe default is to keep the compliance evidence and tighten control of the personal data.

FAQ

Can we let our Legionella contractor host all our records on their system?

Yes, and many duty holders do, but the accountability stays with you [3]. Make sure the contract gives you a full export of the history and audit trail at any time, defines who can access the data, and states what happens to it if you change provider. A logbook you cannot get out of a supplier’s portal is a record you do not really control.

How long do we have to keep digital Legionella records?

L8 sets retention expectations, and the period varies by record type [1], so check the exact figures for your monitoring and inspection records. Data protection adds the opposite pressure: do not keep the personal data around those records longer than you can justify. Keep the compliance evidence for its required life, and apply a deliberate retention rule to the personal detail.

If an inspector arrives and our logbook software is down, are we in trouble?

You are expected to be able to produce your records [1][2], so availability is part of security rather than a separate IT worry. Keep a way to retrieve recent evidence - a periodic export or an offline copy - so a platform outage, or a lost signal in a basement plant room, does not leave you unable to show control.

Sources

[1] HSE, “Legionnaires’ disease. The control of legionella bacteria in water systems - Approved Code of Practice and guidance (L8)”. https://www.hse.gov.uk/pubns/books/l8.htm [2] HSE, “Legionnaires’ disease: Technical guidance (HSG274)”. https://www.hse.gov.uk/pubns/books/hsg274.htm [3] HSE, “Legionnaires’ disease - what you must do”. https://www.hse.gov.uk/legionnaires/what-you-must-do/index.htm