How do you prove your team has read a policy or risk assessment?
To prove someone has read a policy or risk assessment, you need a record that can answer four questions — and keep answering them years later: who acknowledged it, which exact version they saw, when they confirmed it, and whether the record has been altered since. A signature on a printout, or a read-receipt on an email, only proves something was sent — not that the right person saw the current version, or that the record can still be trusted when it's questioned. This guide sets out the four-part test in full, why the usual methods fail it, and what to keep instead.
The four-part test: what proof actually has to show
Any record you rely on should pass all four. Most don't.
- Who — A specific, named individual is tied to the acknowledgement — not a team, a circulation list, or "everyone on site." You can show which person confirmed.
- Which version — The acknowledgement is locked to the exact version of the document they saw. When the document changes, last year's confirmation doesn't silently roll forward onto wording that didn't exist yet.
- When — The confirmation carries a date and time recorded at the moment it happened — contemporaneous, not reconstructed afterwards from memory or a follow-up email.
- Unaltered — You can show the record hasn't changed since. A record anyone could quietly edit later isn't evidence of anything; it's just a note.
Why the common approaches fall short
Each familiar method handles part of the test and misses the rest:
- Signed paper / signature sheet — covers who and roughly when, but a page can be re-signed, back-dated, lost, or detached from the version it referred to. Fails which version and unaltered.
- "Please confirm you've read this" emails — sending proves the document went out; a reply proves someone replied, not that they read the attached version. A read-receipt shows an email was opened, not a document taken in. Weak on which version and unaltered.
- Shared drive or intranet ("it's all there") — availability isn't acknowledgement. You can show a document existed, not that a named person opened the current one. Fails who and when.
- Spreadsheet of sign-offs — convenient, but anyone with access can edit any cell, including the dates, after the fact, so it fails unaltered by design. (Full breakdown in the spreadsheet guide.)
- E-signature tools — strong on a signature event, but built to sign a contract, not to bind an acknowledgement to a specific document version and keep that record sealed over time.
Sent, read, and proven are three different things
Most tools help you send a document, and some help you collect a signature. Far fewer produce a record built to stay evidence — complete, locked the moment it's made, and tied to the exact version. The gap between "we circulated it" and "here is the sealed record of who confirmed which version, and when" is invisible on an ordinary day. It's the thing that matters on the day someone asks.
What UK law expects
Two duties sit underneath all of this. The Health and Safety at Work etc. Act 1974 (section 2) requires employers to provide the information, instruction, training and supervision needed to keep employees safe, so far as is reasonably practicable. The Management of Health and Safety at Work Regulations 1999 (regulation 10) require employers to give employees comprehensible, relevant information on the risks their risk assessments identify and the precautions to take.
Both duties are about informing people; neither prescribes a particular way to record that you did. But a record is what lets you show it afterwards — and for health and safety, "afterwards" can be a long way off: under the Limitation Act 1980, a personal injury claim can be brought years after the event. None of this is legal advice — it's the practical reason a record that stays intact over time is worth more than one that merely exists today.
When you'll actually be asked
The question rarely comes up until something prompts it:
- a principal contractor or client runs a pre-qualification check and asks for evidence your team acknowledged the method statement;
- an insurer reviews a claim after an incident and asks what the people involved had confirmed, and when;
- an HSE inspector follows up after a report;
- a dispute turns on whether someone was told about a procedure;
- staff turnover means the person who "remembers everyone signing" has left.
In each case the useful answer isn't "we sent it round." It's a record that passes the four-part test.
How Provenly captures this
Provenly is built around the four-part test rather than bolted on to it:
- Who — each acknowledgement is tied to the named individual who confirmed it.
- Which version — the confirmation is locked to the exact version of the document they saw; update the document and you get a fresh acknowledgement against the new version, not a silently inherited one.
- When — every confirmation is time-stamped at the moment it's made — contemporaneous by design.
- Unaltered — each record is sealed and linked into a running chain, so if an earlier entry were ever changed the chain would no longer line up. That's what tamper-evident means in practice: not that tampering is impossible, but that it can't go unnoticed.
The result is a complete, contemporaneous, tamper-evident record of who acknowledged which version, and when — exactly what the four-part test asks for.
Frequently asked questions
Does a signature prove an employee read a document?
It proves they signed something at some point. On its own it doesn't show which version they saw or that the record hasn't changed since — two of the four things a reliable record needs.
Is an email read-receipt enough to prove someone read a policy?
No. A read-receipt shows an email was opened, not that the attached document was read, and it isn't tied to a specific version in a sealed record.
What's the difference between sending a policy and proving it was read?
Sending shows the document went out. Proving identifies the named person, the exact version, the time they confirmed, and that the record is unaltered.
Can a spreadsheet be used as proof of H&S sign-off?
It can track sign-offs, but because anyone with access can edit any cell afterwards, it fails the "unaltered" test — making it a tracker, not evidence.
How long should acknowledgement records be kept?
Long enough to cover any period someone might ask about them, which for health and safety can be years after the fact — which is why the record staying unalterable over time matters as much as capturing it.
Written by Matt McAllen, Chartered Member of IOSH (CMIOSH). Matt spent nine years as a health & safety consultant before building Provenly — and the gap this guide describes, proving who had read and signed what, was the one he kept finding on client visits.
Last updated 3 June 2026.
Sources
- Health and Safety at Work etc. Act 1974, s.2 — legislation.gov.uk/ukpga/1974/37/section/2
- The Management of Health and Safety at Work Regulations 1999, reg.10 — legislation.gov.uk/uksi/1999/3242/regulation/10
- Limitation Act 1980, ss.11 & 14 — legislation.gov.uk/ukpga/1980/58
Go deeper