How do you prove your team has read a policy or risk assessment?

To prove someone has read a policy or risk assessment, you need a record that can answer four questions — and keep answering them years later: who acknowledged it, which exact version they saw, when they confirmed it, and whether the record has been altered since. A signature on a printout, or a read-receipt on an email, only proves something was sent — not that the right person saw the current version, or that the record can still be trusted when it's questioned. This guide sets out the four-part test in full, why the usual methods fail it, and what to keep instead.

The four-part test: what proof actually has to show

Any record you rely on should pass all four. Most don't.

  1. Who — A specific, named individual is tied to the acknowledgement — not a team, a circulation list, or "everyone on site." You can show which person confirmed.
  2. Which version — The acknowledgement is locked to the exact version of the document they saw. When the document changes, last year's confirmation doesn't silently roll forward onto wording that didn't exist yet.
  3. When — The confirmation carries a date and time recorded at the moment it happened — contemporaneous, not reconstructed afterwards from memory or a follow-up email.
  4. Unaltered — You can show the record hasn't changed since. A record anyone could quietly edit later isn't evidence of anything; it's just a note.

Why the common approaches fall short

Each familiar method handles part of the test and misses the rest:

Sent, read, and proven are three different things

Most tools help you send a document, and some help you collect a signature. Far fewer produce a record built to stay evidence — complete, locked the moment it's made, and tied to the exact version. The gap between "we circulated it" and "here is the sealed record of who confirmed which version, and when" is invisible on an ordinary day. It's the thing that matters on the day someone asks.

What UK law expects

Two duties sit underneath all of this. The Health and Safety at Work etc. Act 1974 (section 2) requires employers to provide the information, instruction, training and supervision needed to keep employees safe, so far as is reasonably practicable. The Management of Health and Safety at Work Regulations 1999 (regulation 10) require employers to give employees comprehensible, relevant information on the risks their risk assessments identify and the precautions to take.

Both duties are about informing people; neither prescribes a particular way to record that you did. But a record is what lets you show it afterwards — and for health and safety, "afterwards" can be a long way off: under the Limitation Act 1980, a personal injury claim can be brought years after the event. None of this is legal advice — it's the practical reason a record that stays intact over time is worth more than one that merely exists today.

When you'll actually be asked

The question rarely comes up until something prompts it:

In each case the useful answer isn't "we sent it round." It's a record that passes the four-part test.

How Provenly captures this

Provenly is built around the four-part test rather than bolted on to it:

The result is a complete, contemporaneous, tamper-evident record of who acknowledged which version, and when — exactly what the four-part test asks for.


Frequently asked questions

Does a signature prove an employee read a document?

It proves they signed something at some point. On its own it doesn't show which version they saw or that the record hasn't changed since — two of the four things a reliable record needs.

Is an email read-receipt enough to prove someone read a policy?

No. A read-receipt shows an email was opened, not that the attached document was read, and it isn't tied to a specific version in a sealed record.

What's the difference between sending a policy and proving it was read?

Sending shows the document went out. Proving identifies the named person, the exact version, the time they confirmed, and that the record is unaltered.

Can a spreadsheet be used as proof of H&S sign-off?

It can track sign-offs, but because anyone with access can edit any cell afterwards, it fails the "unaltered" test — making it a tracker, not evidence.

How long should acknowledgement records be kept?

Long enough to cover any period someone might ask about them, which for health and safety can be years after the fact — which is why the record staying unalterable over time matters as much as capturing it.

Written by Matt McAllen, Chartered Member of IOSH (CMIOSH). Matt spent nine years as a health & safety consultant before building Provenly — and the gap this guide describes, proving who had read and signed what, was the one he kept finding on client visits.

Last updated 3 June 2026.

Sources

Go deeper