workplace safety

H&S Record Keeping Requirements Guide

Comprehensive guide to health and safety record keeping requirements in the UK. Learn what you must record, legal obligations under HSWA 1974 and Management Regulations, retention periods, and best practices for compliance.

This guide includes a free downloadable checklist.

Get the checklist

Effective health and safety management depends on proper record keeping. Whether you employ 5 people or 500, certain records are legally required, while others represent best practice that can protect your business. But what exactly must you keep, and why does it matter?

Record keeping isn't just bureaucratic box-ticking. It demonstrates compliance, provides evidence of due diligence, helps identify trends, and can be crucial if accidents occur or inspectors visit your workplace.

How confident are you about your health and safety record keeping obligations?

Let's assess your current understanding.

Why health and safety record keeping matters

Proper record keeping serves multiple critical purposes beyond legal compliance:

Legal requirement: Many health and safety regulations explicitly mandate record keeping. Failure to maintain required records is itself a breach of the law.

Evidence of due diligence: Records demonstrate that you take your responsibilities seriously. If prosecuted or faced with civil claims, comprehensive records can be the difference between successful defence and significant penalties.

Operational management: Good records help you manage health and safety effectively. They inform resource allocation, training planning, and continuous improvement initiatives.

Trend analysis: Patterns in incident records, near misses, or inspection findings can reveal systemic issues before they result in serious harm.

Inspection readiness: When HSE or local authority inspectors visit, they will expect to see various records. Having them organized and accessible demonstrates competence and professionalism.

Insurance and claims: Insurers require records to process claims and assess premiums. Complete records support your position in civil litigation and can reduce insurance costs.

Key Point

The absence of a record is typically interpreted as evidence that the activity didn't happen. If you conducted a risk assessment or provided training but cannot produce documentation, an inspector will assume you didn't do it.

Legal foundations for record keeping

The obligation to keep health and safety records flows from multiple pieces of legislation:

Health and Safety at Work etc. Act 1974 (HSWA 1974)

The HSWA 1974 establishes the general framework but doesn't specify detailed record keeping requirements. However, it creates duties that necessitate documentation:

Section 2 - Duties to employees:

  • To demonstrate you're ensuring employee health, safety, and welfare, you need records of risk assessments, training, inspections, and maintenance
  • If you employ 5 or more people, you must prepare and maintain a written health and safety policy

Section 3 - Duties to non-employees:

  • Records must show how you're protecting visitors, contractors, and the public from risks arising from your work

General duty of care:

  • The Act's requirement to do what is "reasonably practicable" means you must be able to demonstrate what you've done. Records provide that demonstration.

Management of Health and Safety at Work Regulations 1999

These regulations impose specific record keeping duties:

Regulation 3 - Risk Assessment:

  • Employers with 5 or more employees must record the significant findings of risk assessments
  • Must record the groups of employees at particular risk
  • Must document the arrangements for effective planning, organization, control, monitoring, and review

Regulation 5 - Health and safety arrangements:

  • If you employ 5 or more people, record the arrangements for implementing preventive and protective measures

Regulation 6 - Health surveillance:

  • Maintain health surveillance records where required
  • Records must be kept in a form suitable for review

Regulation 19 - Provision for new or expectant mothers:

  • Record risk assessments for new or expectant mothers
Note:

The threshold of 5 employees applies to several record keeping requirements, but keeping written records even below this threshold is strongly recommended. They protect your business and help manage safety effectively.

Other specific regulations requiring records

RIDDOR 2013:

  • Keep records of reportable incidents, diseases, and dangerous occurrences for at least 3 years from the date of the incident

Control of Substances Hazardous to Health Regulations 2002 (COSHH):

  • Maintain COSHH assessments
  • Keep health surveillance records for 40 years
  • Retain exposure monitoring records for at least 5 years

Electricity at Work Regulations 1989:

  • Maintain records of electrical inspections and testing

Workplace (Health, Safety and Welfare) Regulations 1992:

  • Document maintenance of workplace, equipment, and facilities

Provision and Use of Work Equipment Regulations 1998 (PUWER):

  • Keep records of equipment inspection and maintenance

Lifting Operations and Lifting Equipment Regulations 1998 (LOLER):

  • Maintain thorough examination reports for lifting equipment

Control of Noise at Work Regulations 2005:

  • Keep noise risk assessments and health surveillance records for 40 years

Control of Vibration at Work Regulations 2005:

  • Maintain vibration risk assessments and health surveillance records

Essential health and safety records

1. Health and safety policy

Who must keep it: All employers with 5 or more employees must have a written health and safety policy.

What it must contain:

  • General statement - Your commitment to health and safety, signed by senior management
  • Organisation - Who does what, responsibilities and reporting structures
  • Arrangements - How you manage specific risks, systems and procedures in place

Retention requirement:

  • Keep current policy readily accessible to all employees
  • Retain superseded versions for at least 3 years

Review frequency:

  • Review at least annually
  • Review immediately after significant changes to work activities, organizational structure, or following serious incidents
Key Point

Even if you employ fewer than 5 people, having a written policy demonstrates commitment and provides clarity about responsibilities. Many insurers and clients expect to see one regardless of your size.

2. Risk assessments

Legal requirement: All employers must conduct risk assessments. Those with 5 or more employees must record the significant findings.

What to record:

  • Identified hazards and who might be harmed
  • Evaluation of risks and existing control measures
  • Additional actions needed to control risks
  • Responsible persons and completion dates
  • Review dates and consultation records

Types of assessments to document:

  • General workplace risk assessments
  • COSHH assessments (hazardous substances)
  • Fire risk assessments
  • Manual handling assessments
  • Display screen equipment assessments
  • Noise and vibration assessments
  • Specific activity or task-based assessments
  • Young workers and new/expectant mothers assessments

Retention period:

  • Current assessments must be readily available
  • Archive superseded assessments for at least 3 years
  • For hazardous substances or serious risks, consider indefinite retention
Warning(anonymised)

Manufacturer fined £200,000 for missing risk assessments

The Situation

A manufacturing company was prosecuted after an employee suffered serious hand injuries from unguarded machinery. HSE inspection revealed no risk assessment had been conducted for the machine, and there were no records of any previous assessments for similar equipment.

What Went Wrong
  • No documented risk assessment for machinery
  • No record of safety reviews or inspections
  • No training records for equipment use
  • Company could not demonstrate they'd identified the hazard
  • Breach of Management Regulations requirement to assess and record risks
Outcome

The company was prosecuted under the Management of Health and Safety at Work Regulations 1999. They received a £200,000 fine plus £35,000 costs. The judge stated that the absence of risk assessments demonstrated 'a systemic failure to take health and safety seriously.'

Key Lesson

Risk assessments aren't optional paperwork. They're the foundation of health and safety management. Not having documented assessments suggests you haven't identified or evaluated risks, which is a serious breach of your fundamental duties.

3. Training records

What to record: Document all health and safety training provided to employees:

  • Induction training for new starters
  • Job-specific safety training
  • Fire safety and emergency procedures training
  • First aid training
  • Manual handling training
  • Working at height training
  • Equipment-specific training (e.g., forklift, machinery operation)
  • Refresher training

Details each record should include:

  • Employee name
  • Date of training
  • Type/content of training
  • Duration
  • Trainer's name and qualifications
  • Assessment of competence (not just attendance)
  • Date refresher training is due
  • Certificates from external providers

Retention period:

  • Maintain current training records for all employees
  • Keep for at least 6 years after an employee leaves
  • For work involving hazardous substances or serious risks, consider longer retention

Why it matters: Training records prove you've fulfilled your duty under Section 2(2)(c) of HSWA 1974 to provide "such information, instruction, training and supervision as is necessary."

Tip:

Use a training matrix showing what training each employee needs, when they received it, and when refreshers are due. This simple tool makes it easy to identify gaps and ensure no one misses required training.

4. Accident and incident records

What to record:

  • All workplace accidents and injuries (accident book)
  • Near misses and dangerous occurrences
  • Reportable incidents under RIDDOR
  • Investigation reports for serious incidents
  • First aid treatment provided
  • Actions taken to prevent recurrence

Legal requirements:

  • Maintain an accident book or equivalent system for recording all workplace injuries
  • Keep RIDDOR records (reportable incidents, diseases, dangerous occurrences) for at least 3 years
  • Comply with data protection requirements when recording personal information

Retention period:

  • Minimum: 3 years from date of incident (RIDDOR requirement)
  • Recommended: 6 years (civil claims can be brought up to 6 years after incident)
  • Best practice: Keep indefinitely for serious injuries or exposure to hazardous substances

Data protection considerations:

  • Accident records contain personal data and must be kept securely
  • Restrict access to authorized personnel only
  • Consider using accident books with removable pages to protect privacy
  • Ensure compliance with UK GDPR
Key Point

Three years may be the legal minimum for RIDDOR records, but many workplace injuries and occupational illnesses don't manifest fully until years later. Keeping records longer protects your ability to defend claims and demonstrate what controls were in place.

5. Equipment inspection and maintenance records

What to document:

  • Equipment inspection and testing records
  • Maintenance logs and service history
  • Portable appliance testing (PAT)
  • Lifting equipment thorough examinations (LOLER)
  • Pressure system examinations
  • Local exhaust ventilation (LEV) testing
  • Fire safety equipment testing and servicing
  • Emergency lighting and alarm tests

Specific legal requirements:

  • Lifting equipment: Thorough examination every 6-12 months (LOLER 1998)
  • Electrical equipment: Regular inspection based on risk assessment
  • LEV systems: Thorough examination every 14 months (COSHH)
  • Fire alarm: Weekly testing, annual servicing
  • Emergency lighting: Monthly and annual testing

Retention period:

  • Keep current inspection certificates readily available
  • Retain for at least 3 years to demonstrate maintenance history
  • LOLER reports must be kept until superseded by next examination

Why it matters: If equipment fails and causes injury, inspectors will immediately ask for maintenance and inspection records. Gaps in records suggest negligence and can result in prosecution.

6. Health surveillance records

When required: Health surveillance is needed when employees are exposed to specific health risks:

  • Noise (hearing conservation programme)
  • Vibration (hand-arm vibration syndrome monitoring)
  • Respiratory sensitizers or irritants
  • Skin sensitizers or corrosives
  • Asbestos, lead, or other regulated substances
  • Ionizing radiation
  • Compressed air work

What to record:

  • Employee's name and date of birth
  • Type and date of surveillance
  • Name and qualifications of person conducting surveillance
  • Results and any action taken
  • Date next surveillance is due

Confidentiality requirements:

  • Health surveillance records are confidential medical data
  • Must be kept separately from general personnel files
  • Restricted access to authorized health professionals and managers on a need-to-know basis
  • Comply with UK GDPR and medical confidentiality requirements

Retention period:

  • COSHH health surveillance: 40 years from date of last entry
  • Noise exposure records: 40 years
  • Asbestos exposure: 40 years
  • Ionizing radiation: 50 years
Warning:

The 40-year retention period reflects the reality that many occupational diseases take decades to manifest. Mesothelioma from asbestos exposure, for example, typically appears 20-50 years after exposure. You must maintain records for the full period.

7. Consultation and communication records

What to document:

  • Health and safety committee meeting minutes
  • Records of consultation with employees or representatives
  • Trade union safety representative appointments and activities
  • Employee safety suggestions and responses
  • Safety notices and bulletins distributed
  • Evidence of policy distribution
  • Sign-off sheets for important communications

Legal basis:

  • Employers must consult employees on health and safety matters
  • Safety Representatives and Safety Committees Regulations 1977 (unionized workplaces)
  • Health and Safety (Consultation with Employees) Regulations 1996 (non-unionized workplaces)

Retention period:

  • Keep meeting minutes for at least 3 years
  • Retain consultation records for significant changes for 6+ years

Why it matters: Consultation isn't optional. Records prove you involved employees in health and safety decisions rather than imposing changes without their input.

8. Employers' liability insurance certificate

Legal requirement:

  • Display current certificate at each workplace
  • Maintain minimum coverage of £5 million (most policies provide £10 million)
  • Retain all certificates, including expired ones, for 40 years

Why 40 years: Occupational diseases and injuries may not manifest for decades. Former employees can bring claims many years after exposure, and you must prove you had valid insurance covering the relevant period.

Retention requirement:

  • Keep current certificate displayed or readily available for inspection
  • Archive all expired certificates securely for 40 years

Many employers display current certificates but discard expired ones. This is a serious error. You may face uninsured claims from former employees if you cannot prove insurance coverage from decades ago. Keep every certificate.

Organizing and storing records effectively

Good record keeping requires more than just retaining documents. Records must be organized, accessible, secure, and maintained properly.

Central records system

Establish a clear system for where each type of record is kept:

  • Create a records index listing what you keep and where it's stored
  • Use consistent naming conventions for files and folders
  • Maintain both current and archived records in an organized way
  • Ensure authorized personnel know where to find records

Digital vs. paper records

Both formats are acceptable legally, provided records are:

  • Secure and protected from loss or damage
  • Accessible when needed by authorized personnel
  • Accurate and complete
  • Compliant with data protection requirements

Digital advantages:

  • Easy to search, retrieve, and share
  • Automated backup and disaster recovery
  • Access controls and audit trails
  • Space-efficient
  • Automated reminders for reviews and renewals

Digital requirements:

  • Regular automated backups (use 3-2-1 rule: 3 copies, 2 media types, 1 off-site)
  • Robust cybersecurity measures
  • Plans for long-term accessibility (file formats that remain readable)
  • Data protection compliance
  • Version control for updated documents

Paper advantages:

  • No technical skills or systems needed
  • Original signatures carry legal weight
  • Not vulnerable to cyber attacks or system failures
  • Immediate access without passwords

Paper requirements:

  • Secure storage in locked cabinets
  • Protection from fire, water, and environmental damage
  • Organized filing system
  • Off-site copies of critical records
  • Regular review to prevent loss through deterioration

Digital vs. Paper Record Keeping

Digital Records

  • Easy to search and retrieve quickly
  • Automated backups protect against loss
  • Access controls ensure data security
  • Space-efficient storage
  • Automated review reminders possible
  • Easy to share with inspectors
  • Requires IT infrastructure and backup systems
  • Vulnerable to cyber threats

Paper Records

  • No technical requirements or systems needed
  • Original signatures provide authenticity
  • Not vulnerable to digital threats
  • Immediate access without passwords
  • Requires significant physical storage space
  • Risk of loss through fire, flood, or deterioration
  • Time-consuming to search and retrieve
  • Difficult to share or duplicate

Bottom line: Many organizations use a hybrid approach: maintaining digital systems for day-to-day operations while keeping paper copies or secure digital archives of critical long-term records. Choose the approach that fits your resources and technical capability, but ensure records are secure and accessible.

Access control and confidentiality

Different records require different levels of access:

General records (low sensitivity):

  • Workplace inspection reports
  • Fire drill records
  • Training schedules
  • General risk assessments

Restricted records (personal data):

  • Individual training records
  • Accident reports with personal details
  • Individual risk assessments
  • Consultation records naming individuals

Highly confidential (medical/sensitive):

  • Health surveillance records
  • Occupational health reports
  • Mental health risk assessments
  • Records of sensitive incidents

Implement appropriate controls:

  • Role-based access for digital systems
  • Locked cabinets for paper records
  • Separate storage for medical records
  • Clear policies on who can access what
  • Audit trails for sensitive record access

Review and maintenance schedule

Establish regular reviews to keep records current:

  • Annual review of health and safety policy
  • Review risk assessments after incidents or changes
  • Update training matrices as training is completed
  • Archive records according to retention schedules
  • Dispose of records past retention periods (securely)
  • Check backup systems are working
  • Verify records remain accessible and readable

Record keeping maintenance schedule

Daily/Weekly
Record new incidents and training

Log accidents, near misses, training completed, and equipment inspections as they occur

Monthly
File and organize records

Ensure loose records are filed properly, update digital systems, check nothing is missing

Quarterly
Review record completeness

Audit whether required records are being maintained, identify gaps, verify backups

Annually
Archive and update policies

Move old records to archive storage, review retention schedules, update policy documents

As needed
Respond to changes

Update records when work changes, new risks emerge, or after incidents requiring documentation

Consequences of poor record keeping

Failure to maintain adequate health and safety records creates multiple problems:

Regulatory enforcement

HSE or local authority inspectors will ask to see records during workplace visits. If you cannot produce them:

  • Improvement notices requiring you to establish proper systems
  • Prohibition notices if lack of records indicates serious uncontrolled risks
  • Prosecution for breaches of regulations requiring specific records
  • Fees for Intervention (FFI) charges at £163/hour for inspector time
  • Fines and legal costs

Civil litigation

When employees or former employees bring claims for work-related injuries or illnesses:

  • You cannot demonstrate you took reasonable precautions
  • You cannot prove you provided training or conducted risk assessments
  • Settlement costs and damages increase
  • Legal fees escalate as you struggle to defend without evidence

Insurance issues

Insurance companies may:

  • Refuse to cover claims if you lack required records
  • Increase premiums significantly
  • Reduce claim payments
  • Decline to renew policies
  • Require costly remedial actions before continuing coverage

Management failures

Without adequate records, you cannot:

  • Identify trends in accidents or near misses
  • Demonstrate whether control measures are working
  • Plan training and resource allocation effectively
  • Make informed decisions about safety improvements
  • Prove compliance with your legal duties
Warning:

"We do the training and inspections, we just don't write them down" is not a defence. In law and in practice, if you didn't record it, you cannot prove it happened. Inspectors and courts will assume you didn't do what you claim.

Frequently asked questions

Some records are required regardless of business size (RIDDOR reports, employers' liability insurance, accident records). The exemption from written records mainly applies to risk assessment findings and policy documentation. However, keeping written records even as a small employer is strongly recommended for your protection and demonstrates good management practice.

Current risk assessments must be readily accessible. When superseded, keep the old versions for at least 3 years. For work involving hazardous substances or serious risks, consider keeping them indefinitely as they may be relevant to future claims or regulatory investigations.

UK health and safety law accepts both digital and paper records, provided they are secure, accurate, accessible when needed, and comply with data protection requirements. Digital records are often more practical but require robust backup systems and cybersecurity measures.

Failure to produce required records during inspection suggests you haven't fulfilled your legal obligations. This can result in improvement notices, prohibition notices if serious risks appear uncontrolled, prosecution for breaches of regulations requiring records, and Fees for Intervention charges. The inspector will assume you didn't do what you cannot document.

Yes, absolutely. You must keep employers' liability insurance certificates for 40 years. This is a legal requirement. Claims for occupational diseases and injuries can be made decades after exposure, and you must prove you had valid insurance covering the relevant period. Many employers mistakenly discard old certificates.

Keep training records for at least 6 years after an employee leaves. Former employees can bring claims for work-related injuries or illnesses, and you need to prove you provided appropriate training. For work involving hazardous substances or serious risks, consider keeping records even longer.

Record the date and time of incident, name of injured person, details of injury, what happened, and first aid or treatment given. Under UK GDPR, keep personal details (like home address) separate to protect privacy. Many modern accident books have tear-out pages to maintain confidentiality.

Yes. Health surveillance records are confidential medical data requiring special protection. They must be kept separately from general personnel files, with access restricted to authorized health professionals and managers on a need-to-know basis. They must be retained for 40 years and comply with UK GDPR and medical confidentiality requirements.

Yes, once the retention period has passed. However, dispose securely (shredding for paper, secure deletion for digital) to comply with data protection law. Many organisations keep records longer than the minimum, especially for serious incidents or hazardous exposures, as protection against future claims.

RIDDOR records document incidents reportable to HSE under RIDDOR 2013 (serious injuries, dangerous occurrences, occupational diseases) and must be kept for at least 3 years. General accident records cover all workplace injuries, however minor. Both should be maintained, with RIDDOR records typically forming a subset of your overall accident records.

Implementing effective record keeping

If you're establishing or improving your record keeping system:

Step 1: Identify required records

Review your legal obligations based on:

  • Your industry and work activities
  • Hazards present in your workplace
  • Specific regulations that apply to your business
  • Size of your workforce
  • Use this article's guidance to create a checklist

Step 2: Choose storage approach

Decide on digital, paper, or hybrid systems based on:

  • Your technical capability and IT infrastructure
  • Number and types of records to maintain
  • Accessibility requirements
  • Budget for systems and storage
  • Long-term retention needs

Step 3: Create templates and forms

Develop standardized templates for:

  • Risk assessment documentation
  • Accident reporting forms
  • Training record sheets
  • Equipment inspection checklists
  • Workplace inspection reports
  • Consultation meeting minutes

Step 4: Assign responsibilities

Clearly define who is responsible for:

  • Creating and updating each type of record
  • Filing and organizing records
  • Conducting periodic reviews
  • Ensuring retention periods are met
  • Responding to requests from inspectors or insurers

Step 5: Implement retention schedule

Document how long each record type must be kept:

  • Create a retention schedule matrix
  • Set up systems for archiving older records
  • Establish procedures for secure disposal after retention periods
  • Ensure critical long-term records (40 years) are protected

Step 6: Train relevant personnel

Ensure everyone involved in record keeping understands:

  • What needs to be recorded and when
  • How to complete forms accurately
  • Where and how to store records
  • Data protection and confidentiality requirements
  • Retention periods and review schedules

Step 7: Monitor and audit

Regularly verify your system is working:

  • Quarterly audits to check records are being maintained
  • Annual comprehensive reviews
  • Spot checks for completeness and accuracy
  • Verification that backups are functioning
  • Identification and correction of gaps

Need help establishing a compliant record keeping system? A health and safety consultant can assess your requirements, set up appropriate systems tailored to your business, and train your staff on maintaining accurate records.

Speak to a professional

Summary: Key record keeping requirements

Essential records all employers must keep:

  • Accident records (all workplace injuries) - 6+ years recommended
  • RIDDOR records (reportable incidents) - minimum 3 years
  • Employers' liability insurance certificates - 40 years
  • Equipment inspection and maintenance records - vary by type
  • Training records - current + 6 years after employee leaves

Additional records if 5+ employees:

  • Written health and safety policy
  • Risk assessment significant findings
  • Health and safety arrangements

Specialized records based on your activities:

  • COSHH assessments and health surveillance - 40 years
  • Noise and vibration exposure records - 40 years
  • Asbestos records - indefinitely
  • Fire risk assessments - current + 3 years
  • Manual handling assessments - 3-6 years

Best practices:

  • Organize records systematically with clear indexing
  • Implement regular review and maintenance schedules
  • Use appropriate access controls and security
  • Keep records longer than minimum when in doubt
  • Back up digital records using 3-2-1 rule
  • Train staff on record keeping procedures
  • Audit compliance regularly
Key Point

Record keeping is not optional bureaucracy. It's fundamental evidence that you're managing health and safety properly. Without comprehensive records, you cannot demonstrate compliance, defend claims, or protect your business. Invest time in establishing proper systems now to avoid serious problems later.

Related articles:

Useful tools: