Yes. In the UK, the law reaches past the company to the people who made — or failed to make — the decisions behind a Legionella failure. A limited company can be fined into the ground, but a manager, a director or a named responsible person can also stand in the dock in their own name. The corporate shield is thinner than most people assume.
What decides personal exposure is not your job title. It is what you knew, what you decided, and what you let slide. A facilities manager who flagged a failing cold-water tank in writing and was overruled sits in a very different position from one who held the budget, watched the overdue actions pile up, and signed nothing. The same evidence that proves the organisation was in control is the evidence that puts your own conduct on the record.
So the practical way to read Legionella personal liability is as a question about your footprint in the paperwork, not as an abstract legal threat hanging over the building.
How personal liability actually works
UK health and safety duties land on the organisation first. HSE summarises the core obligation as identifying and assessing sources of risk, managing and controlling them, keeping appropriate records and carrying out related duties [1]. The Approved Code of Practice, L8, sets out the management structure expected of competent control: a suitable risk assessment, a written scheme, a competent responsible person, implementation, monitoring, record keeping and review [2]. An ACoP carries real weight in court — if a regulator shows you departed from it, the burden falls on you to demonstrate you achieved compliance another way.
Personal prosecution layers on top of that corporate duty in two broad ways. Employees, including managers, carry their own duty to take reasonable care and not to undermine the controls their employer has put in place. And where an offence by the company is shown to have happened with the consent or connivance of a senior individual — or to be attributable to their neglect — that individual can be prosecuted alongside the business. Penalties for individuals range from fines to, in the gravest cases, imprisonment, with the heaviest outcomes following where a foreseeable risk was known and left unaddressed.
The principle is settled, even where the statutory detail needs a lawyer to pin down: outsourcing a task does not outsource your duty, and seniority does not insulate you. It enlarges your exposure.
Where the line falls in real situations
Four situations cover most of what lands on a real desk.
You are the named responsible person, but in name only. Being appointed without the competence, time or authority to act is not a defence — it can be evidence that the appointment was a paper exercise. If your name is on the scheme, you are expected to explain why each control exists, what result is acceptable, and what happens when a reading falls outside the limit. “I was just the name on the form” tends to make the position worse, not better.
You hold the budget and quietly starve the controls. Where a director or senior manager controls resources and lets monitoring lapse, defers remedial work, or treats Legionella as a cost to shave, that is exactly the territory the consent-connivance-neglect route was written for. Choosing not to fund a known control is a decision, and it shows up in what you approved and what you declined.
You flagged it and were overruled. This one reverses the usual instinct. Raising a risk in writing, to the person who can actually fix or fund it, is the single strongest thing a manager can do to protect themselves — and it pushes exposure toward whoever held the authority and sat on it. The email you sent is worth more than the task you could not afford to finish. Verbal warnings nobody can find later protect no one. If you suspect your control budget is being squeezed past what is safe, on cost versus risk shows how to put that argument on the record properly.
You handed it all to a contractor. A contractor performs tasks under your duty; the duty itself stays with you. You still have to be competent enough to appoint them well, brief them, read their reports and chase the actions they raise. A signed contract is not a transfer of liability — see on working with contractors for what that oversight looks like day to day.
What nobody tells you about your own exposure
The uncomfortable parts rarely make it into a standard compliance briefing.
- The records cut both ways. Logbooks, temperature readings and remedial-action lists are usually sold as proof the system is controlled. They are also a timeline of what each named person knew and when. They clear you if you acted on what they showed; they sink you if you initialled an overdue action and did nothing.
- Silence is the trap, not honest error. A mistake caught and corrected reads very differently from a risk assessment nobody opened or an alarm nobody acknowledged. Investigators look hardest at what was foreseeable and ignored.
- “I wasn’t told” is weak; “I told them” is strong. Whether you were the warned or the warner often decides which side of the line you land on. Both come down to written communication, not good intentions.
- A clean sample is not a clean conscience. A negative Legionella result describes a handful of outlets at one moment — not whether the temperature regime held, stagnation was managed, or anyone reviewed the scheme. Leaning on it as a defence mistakes what is actually examined after an incident.
- Notification can be out of your hands. A confirmed case of Legionnaires’ disease linked to a workplace can bring a regulator to the door through routine disease reporting, before you have decided how to present anything [3]. By then, the paperwork is whatever it already was.
A word on where this guidance stops
This is a plain-English map of how personal liability tends to work, not legal advice on your circumstances. Whether any individual is charged turns on the specific facts, the strength of the evidence about who decided what, and the regulator’s own judgement. If you are facing an HSE inspection, an improvement or prohibition notice, or any investigation, get a competent health-and-safety solicitor involved early — not a blog, and not your water-treatment contractor. The precise offences, thresholds and penalties should be checked against current legislation.
Cutting your own exposure this week
You can change your position in an afternoon, mostly with a few emails and one careful read-through.
- Confirm, in writing, whether you are the named duty holder or responsible person, and for exactly which systems. Vague appointments help no one.
- Read the current risk assessment and written scheme end to end. If you cannot say why a control exists or what its acceptable result is, that gap is yours to close now.
- List every overdue remedial action and put a dated note against each: done, scheduled, or escalated. An open action with no owner is the worst thing an investigator can find.
- If a resource or authority gap is stopping you from controlling a known risk, say so in writing to whoever can fix it — and keep the reply.
None of this needs a lawyer or a budget round. It just moves you from “the name on the form” to “the person who acted on what they knew”, which is the whole point.
FAQ
Can I personally go to prison for a Legionella failure?
For most lapses the realistic outcome is enforcement action and fines against the organisation. Imprisonment of an individual is reserved for serious cases — typically where a known, foreseeable risk was ignored and harm followed — and the prosecuting authority decides whether to pursue it. Treat it as a genuine possibility at the severe end, not the usual result.
Does hiring a contractor or consultant move the liability off me?
No. You can delegate the work; you cannot delegate the duty. You remain responsible for appointing a competent provider, briefing them properly, reviewing what they report and closing the actions they raise. If you cannot show that oversight, the contract will not shield you.
I raised the problem and was overruled — am I still liable?
Your position is far stronger if you raised it clearly, in writing, to someone with the authority to act, and that record survives. Doing so tends to move exposure toward whoever decided to do nothing. A warning nobody can later find offers little protection, which is why how you escalate matters as much as the fact that you escalated.
Sources
[1] HSE, “Legionnaires’ disease - what you must do”. https://www.hse.gov.uk/legionnaires/what-you-must-do/index.htm [2] HSE, “Legionnaires’ disease. The control of legionella bacteria in water systems - Approved Code of Practice and guidance (L8)”. https://www.hse.gov.uk/pubns/books/l8.htm [3] HSE, “RIDDOR - Reporting of Injuries, Diseases and Dangerous Occurrences Regulations”. https://www.hse.gov.uk/riddor/