How long risk assessment records should be kept is an important question. You don’t want to get rid of them if they might still be of use, but keeping any records that might identify individuals for too long might put you in breach of your duties under data protection laws. There’s no legal minimum time that you must keep risk assessment records, but given that anyone who is injured can make a claim within three years you should keep risk assessment records for at least three years.
You’re under a legal obligation to carry out risk assessments to identify risks to the health and safety of your staff and others (such as customers or visitors). As part of your risk assessment you must also assess how to reduce or remove those risks and ensure you act on your findings.
Keeping records of risk assessments
Legal requirements for record keeping
If you employ five or more people, you’re legally required to keep written records of your health and safety risk assessments. If you have fewer than five employees, you don’t have to write anything down (although you must still do risk assessments). However, even if you employ fewer than five people, it’s a good idea to record your risk assessments in writing so that you can refer back to them later if a problem arises.
If you’re legally obliged to keep records, they must include the findings of your risk assessment (including what risks have been identified, who could be harmed and how, and how you will remove or reduce the risks). You should also identify any group of employees who are particularly at risk (eg lone workers, pregnant women, etc).
General risk assessment for an office , General risk assessment for a shop or other business open to customers and General risk assessment for remote workers contain the legally required information (but you must make sure you fill them in properly, taking into account risks specific to your workplace).
How long should risk assessment records be kept?
There’s no legal minimum time that you must keep your risk assessments. The HSE recommends only that you keep them for as long as they remain relevant to your business. As a general rule, five years should be suitable in most businesses.
You should keep risk assessments for three years at a minimum, because this is the normal length of time anyone who is injured has to make a claim for compensation against your business. In some cases it will be appropriate to keep your risk assessments for much longer, for example it may be best to keep risk assessments relating to a particular manufacturing process for as long as that process is being carried out.
Providing records to employees
You don’t have to give copies of your risk assessments to your employees. However, you’re legally required to keep them informed about health and safety in your workplace by telling them what risks you have identified and what you have done to help protect them from those risks, so making your assessment available can be an efficient way of doing this. When completing your risk assessment, you should consult with your employees as they are well placed to identify risks and advise on how risks can be mitigated.
If you employ any children, you must provide both the child and a parent or guardian with information on risks to the child’s health and safety identified in the risk assessment and also what preventative and protective measures you have or will put in place.
Conducting risk assessments
When to conduct and review risk assessments
You should perform a general risk assessment as soon as you become an employer.
You’re then legally required to review and renew your general risk assessment if it’s no longer valid for some reason, or there have been significant changes to anything that it covers.
For example, you should carry out a new risk assessment if you change business premises or your existing ones are reconfigured. You should also look out for less obvious changes and review your risk assessment where necessary (for example, if you buy a new piece of potentially hazardous equipment, someone suffers (or nearly suffers) an injury at your workplace, staff change their work practices, or your staff report a potential problem).
In practice, your business will inevitably change over time, so even if you do not spot any trigger, you should review and update your risk assessment regularly. There is no set time frame by which you must review your risk assessment; an annual review is a sensible starting point for most businesses.
Crucially, you must ensure that you actually do something about any health and safety issues your risk assessment identifies; it’s not enough to just do a ‘box-ticking’ exercise. See Deciding what action to take for details of some of the kinds of things you might need to do to reduce the risks that you identify (but bear in mind that every business is unique and you must give careful thought to exactly what your workplace requires).
Marion joined Sparqa Legal as a Senior Legal Editor in 2018. She previously worked as a corporate/commercial lawyer for five years at one of New Zealand’s leading law firms, Kensington Swan (now Dentons Kensington Swan), and as an in-house legal consultant for a UK tech company. Marion regularly writes for Sparqa’s blog, contributing across its commercial, IP and health and safety law content.