A ring binder of policies is not proof that your water system is under control. It is proof that someone bought a binder. The records that actually matter under UK Legionella guidance are the ones that connect each control measure to a person, a date, a reading and — when something drifted — a fix.
The duty is easy to state and easy to get subtly wrong. The Health and Safety Executive expects duty holders to identify and assess the risk, put controls in place, keep records and carry out their other relevant duties [3]. The Approved Code of Practice, ACoP L8, sets out the management structure behind that: a risk assessment, a written scheme, a competent responsible person, monitoring, record keeping and review [1]. Most sites have all the words. Far fewer have records that would survive an audit, a handover, or the worst day — an incident investigation.
These are the Legionella record keeping mistakes that catch out competent, well-meaning teams, and what to do instead.
Where the records actually fail
The binder problem: documents without evidence
A risk assessment, a written scheme and a glossy policy sit in a folder. Then someone asks to see the last three months of completed tasks, and the folder goes quiet. A document describes what should happen; a record proves it did. L8 expects records of the precautions and monitoring actually carried out, not just the plan that says they will be [1]. The fix is to make every control in the written scheme point to evidence it happened — a temperature log, a cleaning sign-off, a flushing entry — so the plan and the proof live in the same place. Essential records for Legionella compliance covers which records that scheme should generate.
Logging the task, not the result
“Flushed — tick. Temperature checked — tick.” A tick confirms someone visited. It does not tell you the water was safe. The entry that earns its place captures the number: which outlet, the date, the reading, whether it sat inside the expected range, and who took it. HSG274 frames monitoring around recorded results, not attendance [2]. A blunt test: if your logbook can be completed without writing down a single temperature, it is an attendance sheet, not a control record.
Burying the readings that went wrong
This is the expensive one. Teams diligently record the in-range results and quietly skip the day a sentinel tap came back tepid, or the calorifier ran cold over a bank holiday. Those out-of-range readings, and what you did about them, are the most valuable records you hold — they show a system that is being managed, not merely measured. An investigator who finds nothing but perfect numbers does not conclude you run a perfect system; they conclude the records aren’t honest. Log the exceedance, the cause if you know it, the remedial action, and the recheck that confirmed it was resolved.
Letting the contractor be the only keeper
You appoint a specialist, they do the monitoring, the data lives on their portal. Then you switch provider — or they fold — and three years of history walks out the door. Accountability for control, and for the records that prove it, stays with the duty holder whoever holds the pen [3]. Keep your own copies, in a format you control, and make sure you can pull any month’s evidence without having to email someone.
No record of who is accountable, or competent
L8 expects a named responsible person with the authority and competence to manage the scheme [1]. Surprisingly often there is no record of who that actually is, when they were appointed, or what training backs the role. If the one person who understands the regime leaves on a Friday, the records should let their successor pick it up on the Monday. Write down the appointment, the training and the escalation route, and treat that as part of the evidence, not admin.
Records that can’t survive a handover
Undated sheets, unsigned entries, two spreadsheets, a WhatsApp thread and a damp box of paper in the plant room. Each entry might be defensible on its own; together, nobody can reconstruct the story. The fairest test of any record system is whether a competent person who has never set foot in your building could pick it up cold and explain how control has been maintained. If they can’t, the records aren’t doing their job, no matter how many there are.
How long you have to keep it
Records are only useful if they are still there when someone asks. Guidance commonly cited from L8 sets retention around the period a record stays current plus a margin afterwards: the risk assessment and written scheme typically kept for roughly two years after they are superseded, and records of monitoring, inspections and checks for roughly five years [1]. Treat those as a floor that guidance sets and your own arrangements confirm, not a number to trim. The cheaper habit is to retain by default and review on a schedule, rather than discover during an investigation that the relevant log was binned last spring.
What this guidance can and can’t decide for you
None of this is legal advice, and no article can set your retention periods, monitoring frequencies or acceptable limits — those come from a competent, site-specific risk assessment and the systems you actually run. The principle travels, though: if your records can’t reconstruct control without you standing in the room to narrate them, fix the records before you fix anything else.
Start with one control
Pick a single control this week — say, the monthly hot-water temperatures at your sentinel outlets — and trace it end to end. For the last three months, can you produce who took each reading, when, the value, whether it was in range, and what happened on any day it wasn’t? If yes, you’ve found the standard to roll out across every control in your written scheme. If no, you’ve just found the gap an auditor would find — only quieter, earlier, and on your own terms.
FAQ
How long do I need to keep Legionella records?
Guidance from L8 broadly points to keeping the risk assessment and written scheme for around two years after they are replaced, and monitoring records such as temperatures, inspections and checks for around five years [1]. Confirm the figures that apply to your site through your own arrangements, and when in doubt, keep them longer rather than shorter.
Are digital logbooks acceptable, or do we need paper?
Format is not the obligation; provable control is. A digital logbook is fine — and usually easier to audit — as long as it captures who did the task, when, on which asset, the result, whether it was in range, and what happened when it wasn’t [1]. If you’re weighing the move, Paper vs digital logbooks: making the switch walks through making the switch.
If our contractor keeps the records, is that enough?
No. A contractor can do the monitoring and hold a copy, but the duty holder stays accountable for control and for the records that demonstrate it [3]. You need your own retrievable copies and enough understanding to brief, challenge and review whoever does the work.
Sources
[1] HSE, “Legionnaires’ disease. The control of legionella bacteria in water systems - Approved Code of Practice and guidance (L8)”. https://www.hse.gov.uk/pubns/books/l8.htm [2] HSE, “Legionnaires’ disease: Technical guidance (HSG274)”. https://www.hse.gov.uk/pubns/books/hsg274.htm [3] HSE, “Legionnaires’ disease - what you must do”. https://www.hse.gov.uk/legionnaires/what-you-must-do/index.htm