Read your water hygiene service report the way an inspector would read it back to you: as the evidence you would have to defend. Look for actual readings tied to named outlets, dated and signed. Treat a page of blanket “satisfactory” verdicts with no numbers behind them as a warning, not reassurance.

Here is the uncomfortable part of outsourcing. You can hand a contractor the monitoring, the flushing and the sampling. You cannot hand them the duty. Under ACoP L8 the responsibility for controlling the risk, and for keeping the records that prove it, stays with the duty holder even when someone else does the work on the ground [1][2]. The service report is the main thing you hold from all that spend. If it cannot stand up as evidence, you have paid for a visit, not for compliance.

So this is about checking contractor evidence, not checking the contractor. A good provider will welcome the questions. There is no legally mandated template for a service report, and the Legionella Control Association’s Code of Conduct sets the standard registered providers sign up to rather than dictating a universal layout [3]. That means you are not looking for specific named fields. You are looking for whether the report does the job evidence has to do.

Read your next report with this checklist

Print the latest report, sit with it for ten minutes, and mark each line. Green where the report gives you what you need on the spot. Amber where it half-answers. Red where it does not answer at all. Work through the five groups in order, because they build: scope decides what should be there, the data decides whether it is real, traceability decides whether you can trust it, close-out decides whether anything changes, and the link to your scheme decides whether any of it is the right evidence for your building.

1. Did they do the job you are paying for?

  • The visit covered the scope your written scheme and contract set out: the right systems, the agreed number of outlets, on or near the agreed date.
  • You can see which specific outlets were visited this time, not just a total count.
  • The same handful of outlets are not the only ones ever touched, while others never appear from one year to the next.
  • Any task that was skipped, deferred or could not be accessed is stated, with the reason, rather than silently missing.

2. Is there real data, or just verdicts?

  • Readings are actual values: temperatures in degrees, dwell times, sample counts. A column of “satisfactory” or “pass” is a verdict, not evidence.
  • Each value is set against your scheme’s limit, so an out-of-range result is obvious rather than buried.
  • Figures are not suspiciously identical across every outlet and every visit. Real buildings produce a spread; a sentinel tap reading exactly 55C month after month deserves a question [4].
  • Where temperature is not the control method, the alternative regime (for example a chemical dose) is reported against its own parameters.

3. Can you trace each line to an asset and a person?

  • The engineer who attended is named, and the report is signed or otherwise attributable to them.
  • The date of the visit is recorded, and ideally the date the report reached you.
  • Outlet and asset references match your own asset register and schematic, so “hot tap, first floor” is a specific tap you can find.

4. Does it close the loop on problems?

  • Any out-of-range result carries a clear recommended action and some sense of priority, not just a red number left hanging.
  • Actions raised at the last visit show as closed, in progress, or carried forward with a reason. They do not quietly vanish.
  • Remedial works, re-tests and disinfections are recorded so an auditor could follow the thread from problem to fix.

5. Does it connect back to your scheme?

  • The report relates to your risk assessment and written scheme of control, not a generic template that could belong to any site.
  • Recommendations are specific to your building rather than recycled boilerplate that appears every visit and is never resolved.

What “all satisfactory” is really telling you

The single most common red flag is a report that is all green and all empty: every line marked satisfactory, not a number in sight. It feels reassuring, which is exactly the problem. “Satisfactory” is the contractor’s conclusion. The reading is the evidence. If a temperature was genuinely 58C at a sentinel tap, the report can simply say so; if it cannot, you have no way to know whether anyone measured anything.

An inspector reading your records is doing the same thing you should be: checking that monitoring actually happened, that results were within the limits your scheme sets, and that someone acted when they were not [2]. A verdict-only report gives them nothing to check, which is why it tends to attract more scrutiny, not less. The deeper look at what inspectors look for in your Legionella records is worth reading alongside this, because the report is the document that lands in front of them first.

How to use the marked-up report

One report tells you little. A run of them tells you everything. Keep them where you can lay three or four side by side, because the failures hide in the comparison: the recommendation that is copied forward unchanged every quarter, the outlet that drops off the list, the readings that never move. That is the practical core of outsourced water hygiene oversight: not redoing the contractor’s work, but watching the pattern of it.

When a mark comes up amber or red, raise it in writing and ask for the specific value or the reason. A registered provider working to the LCA Code of Conduct should be able to answer plainly [3]. If the answer is defensive, vague, or “that is just how we report”, treat that as data too. This kind of structured contractor service report review sits naturally alongside a periodic independent check; see Third-party audits: validating your Legionella programme for when to bring a second pair of eyes in.

The red flags that quietly leave you non-compliant

The reports that cause trouble rarely look alarming. They look tidy. Watch for the report that arrives weeks after the visit, so an out-of-range result sat unactioned. Watch for missing engineer details, because anonymous evidence is weak evidence. Watch for a schematic and asset register that no longer match the building, so “satisfactory” describes a system that has since changed. And watch for the recommendation that has appeared on every report for two years and never been closed — that is not a contractor failing so much as a duty holder one, because acting on the findings is your call to make.

Before you take this checklist as a verdict on your contractor

This is general guidance, not legal advice, and it does not judge whether any particular provider is doing a good job. What counts as adequate monitoring, which outlets matter, and the exact temperatures and limits a result is measured against are all set by a competent, site-specific risk assessment, and they will differ from the next building’s. The checklist tells you whether your report works as evidence. Only your assessment tells you whether it is the right evidence. Use a red mark as a prompt to ask a question, not as a charge sheet.

A concrete next step for today: pull your last three reports and run group two against them — the data, not the verdicts. If you cannot find a single actual temperature reading tied to a named outlet across all three, you have found your weakest point, and the conversation to have with your provider this week. If the readings are there but scattered, late and hard to compare, that is the case for pulling monitoring into a digital logbook such as L8Log, where each result is stamped to a specific asset, dated, and checked against your limits as it lands — so the gaps surface while you can still act on them, not at the next inspection.

FAQ

My report just says “all satisfactory” with no numbers. Is that a problem?

It is a weakness you should fix. “Satisfactory” is the contractor’s judgement; the actual reading is the evidence an inspector, insurer or incident investigator will want to see. Ask your provider to report the values — temperatures, counts, dwell times — measured against the limits in your scheme. A provider working to the LCA Code of Conduct should be able to supply them without fuss [3].

Can I rely on my contractor’s report as proof that I am compliant?

The report is important evidence, but it is not a transfer of responsibility. Appointing competent help does not move the legal duty: under L8 you remain accountable for the control measures and for the records that demonstrate them [1][2]. The report proves the work was done and the results acted on; you still have to read it, challenge gaps, and close out the recommendations.

What should I do if I spot a red flag in the report?

Raise it in writing and ask for the specific evidence — the value, the date, the engineer, or the reason a task was skipped. Keep your query and the response with the report, because that exchange is part of your record. If the same flag recurs across several visits, escalate it, and consider an independent audit to confirm whether the issue is the reporting or the work itself.

Sources

[1] HSE, “Legionnaires’ disease - what you must do”. https://www.hse.gov.uk/legionnaires/what-you-must-do/index.htm [2] HSE, “Legionnaires’ disease. The control of legionella bacteria in water systems - Approved Code of Practice and guidance (L8)”. https://www.hse.gov.uk/pubns/books/l8.htm [3] Legionella Control Association, “Code of Conduct for Service Providers”. https://www.legionellacontrol.org.uk/ [4] HSE, “Hot and cold water systems”. https://www.hse.gov.uk/legionnaires/hot-and-cold.htm