---
title: "Working with contractors: ensuring Legionella compliance"
source_url: https://legionella.io/articles/working-with-contractors-ensuring-legionella-compliance/
canonical_url: https://legionella.io/articles/working-with-contractors-ensuring-legionella-compliance/
pillar: "UK Legionella Law & Compliance"
summary: "Outsourcing Legionella work never outsources the duty. The criteria, vendor questions and red flags for picking a contractor who can actually prove control."
primary_keyword: "Legionella contractors"
date_published: 2025-12-31
date_reviewed: 2026-06-26
author: "Legionella.io editorial team (REMOTE TECH LTD)"
reviewed_against: "HSE L8 and HSG274 guidance"
region: "United Kingdom"
license: "(c) REMOTE TECH LTD. Quote freely with attribution and a link to source_url."
---

# Working with contractors: ensuring Legionella compliance

You can pay a contractor to write the risk assessment, take the temperatures, flush the dead legs and disinfect the calorifier. What you cannot pay them to do is take on the duty. If a case is ever linked to your building, the enforcing authority knocks on the duty holder's door first, and a signed contract is not a defence [1].

So the question when you appoint Legionella contractors is not which quote is lowest. It is which provider leaves you with control that works and evidence you can stand behind.

That single shift changes what you look for. You are not buying a glossy report or a platform login. You are buying the parts of a working control regime you cannot run in-house, plus a clear trail that ties every control back to a person, a result, and an action for when the result is wrong.

## What you are actually paying for

The work itself is well defined. A site-specific risk assessment, a written scheme of control, routine temperature monitoring, cleaning and disinfection, and sampling where the assessment calls for it. L8 sets out that management structure clearly, and any or all of those tasks can be carried out by a competent contractor [2].

The duties behind the tasks stay put. HSE frames the core responsibility as identifying and assessing the risk, managing and controlling it, keeping records, and appointing competent help to do so [1]. Appointing help is on that list. Offloading the responsibility is not on it.

What you genuinely cannot buy in is judgement. The responsible person has to know enough to brief a contractor, read what comes back, and push when something looks thin. A duty holder who cannot tell a real risk assessment from a template with the address changed is buying blind, however polished the supplier.

## How to size up a contractor before you sign

Treat selection as a structured check, not a gut feel about who sounded professional on the phone. Three groups of questions separate a provider who improves your position from one who just adds admin.

**Competence you can verify.** Is the provider registered with the Legionella Control Association, whose members commit to a published code of conduct for service providers [5]? Registration is a filter, not a guarantee. Confirm that the people actually attending your site are trained for the work in front of them, and that their method references L8 and HSG274 rather than an in-house "compliance package" with no traceable basis [2][3].

**Scope that fits your building.** Will they walk the site and write an assessment for your system, or reissue last year's with a fresh date? Does the proposed monitoring schedule come from your risk assessment, or from their standard service tier? Frequency should follow the system and the assessment, not a price band [3].

**Evidence you are left holding.** Ask exactly what records you keep afterwards and in what form. Can the responsible person see open actions, not just ticked-off tasks? Be explicit about who closes remedial work — them, you, or a third party — because that handover gap is where compliance quietly fails.

Four questions worth asking before you sign anything:

- Show me a redacted risk assessment you have written for a building like mine.
- When a temperature reading or a sample fails, what do you do, and what do you expect us to do?
- Which tasks remain our responsibility once you are on board?
- What makes you recommend remedial work, and how do you keep that separate from selling services?

A confident provider answers all four without flinching. Hesitation on the last two is the tell.

And the red flags. Walk away, or at least slow down, if you see:

- A risk assessment delivered the same day with no site visit.
- A clean sample offered as proof the system is safe. It describes one outlet at one moment, nothing more [4].
- A quote that bundles annual chlorination or tank cleaning as routine line items regardless of what the assessment finds.
- No straight answer on who owns and closes remedial actions.
- Reluctance to spell out which duties stay with you.

## One-stop shop versus specialist

A single firm doing assessment, monitoring and remedial work is convenient, and for many sites it is the sensible call. The catch is the obvious one: the company that finds the problem also sells the fix. That is not a reason to rule them out, but it is a reason to keep your own risk assessment honest and to get independent eyes on any large remedial recommendation before you commit the budget. If you want a structured way to weigh those recommendations, the cost-versus-risk question deserves to be treated on its own terms — see [Justifying Legionella control measures: cost vs risk](https://legionella.io/articles/justifying-legionella-control-measures-cost-vs-risk/).

Fixed-price packages are easy to approve and easy to mis-buy. They work when the scope genuinely matches your system, and they fail quietly when it does not. A package built for a small mains-fed office, applied to a site with a calorifier, long pipe runs and intermittently used outlets, leaves gaps nobody priced.

## A caveat before you compare quotes

None of this sets your control limits. The criteria above help you judge a provider; they do not decide your temperatures, your sampling points or your remedial triggers. Those come from a competent, site-specific assessment of your own building and the people who use it, not from a contractor's standard menu. Use the framework to choose well, then let your risk assessment drive what the contractor actually does.

## When you may not need one at all

Bringing in a contractor is not automatic. For simpler, lower-risk systems, a competent person can assess and manage the risk in-house [1]. A small premises with a couple of outlets, mains-fed and in regular use, may not need a consultant on retainer so much as someone who understands the system and keeps honest records. The pragmatic rule: buy in what you cannot do competently or repeatably yourself, and keep the rest. Paying for work you could do well in-house does not buy more safety, only more paperwork.

Where the stakes rise — and where individual accountability can follow a failure — the case for a competent appointment gets stronger. [Personal liability: can individuals be prosecuted for Legionella failures?](https://legionella.io/articles/personal-liability-can-individuals-be-prosecuted-for-legionella-failures/) covers who carries that personal risk when things go wrong.

Your move this week: pull the most recent risk assessment your provider gave you and read it as a sceptic. Does it describe your building, or could it be anyone's? Are the monitoring frequencies justified, or merely stated? If you cannot answer, that is your first conversation at the next renewal — and a fair test of whether you have the right contractor.

## FAQ

### If we hire a contractor, are we still responsible when something goes wrong?
Yes. The duty holder keeps the legal responsibility for managing Legionella risk; appointing a contractor transfers the task, not the duty. Their work forms part of your control regime, and you are expected to oversee it and hold the records that show it [1].

### Does a Legionella contractor have to be LCA-registered?
It is not a legal requirement. But registration with the Legionella Control Association signals that a provider has committed to a published code of conduct, which makes it a reasonable first filter [5]. Treat it as a starting point and still confirm competence for your specific system yourself.

### How do we know the monitoring schedule the contractor proposes is right?
It should trace back to your site-specific risk assessment rather than a generic service tier. Monitoring and sampling frequency follow the system and the assessment, so ask the provider to show that link explicitly before you accept the schedule [3][4].

## Related reading

- [Justifying Legionella control measures: cost vs risk](https://legionella.io/articles/justifying-legionella-control-measures-cost-vs-risk/)
- [Personal liability: can individuals be prosecuted for Legionella failures?](https://legionella.io/articles/personal-liability-can-individuals-be-prosecuted-for-legionella-failures/)
- [New detection technology: rapid Legionella test science](https://legionella.io/articles/new-detection-technology-rapid-legionella-test-science/)
- [Cooling tower notification duties and local authority registers](https://legionella.io/articles/cooling-tower-notification-duties-and-local-authority-registers/)

## Sources

[1] HSE, "Legionnaires' disease - what you must do". https://www.hse.gov.uk/legionnaires/what-you-must-do/index.htm
[2] HSE, "Legionnaires' disease. The control of legionella bacteria in water systems - Approved Code of Practice and guidance (L8)". https://www.hse.gov.uk/pubns/books/l8.htm
[3] HSE, "Legionnaires' disease: Technical guidance (HSG274)". https://www.hse.gov.uk/pubns/books/hsg274.htm
[4] HSE, "Testing and monitoring your water system for legionella". https://www.hse.gov.uk/legionnaires/testing-monitoring-water-system.htm
[5] Legionella Control Association, "Code of Conduct for Service Providers". https://www.legionellacontrol.org.uk/