Log inStart Free Trial
HACCP Regulations

HACCP & the Due Diligence Defence: How Your Plan Protects You

The Due Diligence Defence and How Your HACCP System Provides It

Section 21 of the Food Safety Act 1990 provides what is known as the "due diligence defence". If a food business is charged with a food safety offence, it can defend itself by proving that it took all reasonable precautions and exercised all due diligence to avoid committing the offence. Your HACCP plan is the primary evidence for this defence. A well-documented, actively maintained HACCP system demonstrates that you identified the risks, put controls in place, monitored them, and acted when things went wrong. Without it, the due diligence defence is almost impossible to establish. This article explains how the defence works and what your HACCP system needs to demonstrate.

Key takeaways

The due diligence defence under Section 21 of the Food Safety Act 1990 requires proving you took ALL reasonable precautions AND exercised ALL due diligence.
Your HACCP plan, monitoring records, corrective action logs, training records, and review minutes are the primary evidence for this defence.
A plan that exists on paper but is not followed in practice does not satisfy the due diligence requirement.
Honest records showing occasional problems with documented corrective actions are stronger evidence than suspiciously perfect records.
The defence fails most commonly when allergen controls are absent, records are incomplete, or the business ignored previous warnings.

The Legal Test: All Reasonable Precautions and All Due Diligence

The due diligence defence has two limbs. First, you must show that you took "all reasonable precautions" to avoid committing the offence. This means putting systems in place before the problem occurred: a HACCP plan, training programmes, supplier approval procedures, monitoring systems, and documented procedures. The word "all" is important - you cannot rely on having some precautions in place if other obvious ones were missing. If you had temperature monitoring for cooking but not for chilled storage, and the offence related to a chilled food, your precautions were not "all" that were reasonable. Second, you must show that you exercised "all due diligence" in following those precautions. This means the systems you put in place were actually followed in practice. A beautifully written HACCP plan that sits in a drawer while staff ignore it does not satisfy the due diligence limb. You need evidence that monitoring was conducted, that records were completed, that corrective actions were taken when things went wrong, and that the system was reviewed and updated regularly. Both limbs must be satisfied. Having a plan (reasonable precautions) but not following it (no due diligence) fails. Following procedures (due diligence) but not having identified the hazard in the first place (insufficient precautions) also fails.

What Evidence Your HACCP System Must Provide

If your due diligence defence is tested in court, the evidence from your HACCP system needs to demonstrate several things. A documented hazard analysis showing you identified the hazard that caused the offence (or that the hazard was not reasonably foreseeable given the information available to you at the time). CCP identification showing you put a control measure in place for that hazard. Critical limits showing the control measure had a defined, measurable standard. Monitoring records showing the control measure was checked at the documented frequency and by the documented method. Corrective action records showing that when deviations occurred, they were detected and acted upon. Verification records showing the system was reviewed and audited, including annual review minutes and internal audit reports. Training records showing staff responsible for CCPs were trained and competent. Supplier records showing you verified your suppliers were providing safe ingredients. The strength of the defence depends on the completeness and credibility of these records. Gaps in monitoring logs, missing corrective actions, or a plan that has not been reviewed in two years all weaken the defence. Conversely, a record showing an occasional out-of-range temperature with a documented corrective action is stronger evidence than perfect records (which courts and experts may view sceptically).

When the Defence Succeeds and When It Fails

The due diligence defence succeeds when the business can show a comprehensive, proportionate system that was actively followed and maintained. In practice, businesses that successfully rely on the defence have several characteristics in common: they can produce their HACCP documentation quickly and in good order; their records show consistent monitoring with occasional documented deviations and corrective actions; staff at all levels can demonstrate understanding of food safety procedures; the business responded appropriately and promptly when the incident occurred; and there is evidence of regular review and improvement. The defence fails when: there is no documented food safety management system, or the system is generic and not tailored to the business; records are incomplete, fabricated, or retrospectively completed; staff cannot demonstrate understanding of the procedures they are supposed to follow; the business knew about a risk and failed to act (e.g. a previous EHO warning about the same issue); or the business did not respond appropriately to the incident when it occurred. A common scenario where the defence fails is allergen-related prosecution. If a customer suffers an allergic reaction and the business has no allergen matrix, no documented cross-contact controls, and staff who have not received allergen training, the defence cannot succeed because the precautions were obviously insufficient.
HACCP Regulations

Automate your HACCP compliance

Paddl generates HACCP plans tailored to your business, creates monitoring routines from your CCPs, and keeps digital records that EHO inspectors can verify instantly. No more paper folders.

Start free trialSee HACCP features
Try the free HACCP Hazard Identifier

Strengthening Your Due Diligence Position

Think of your HACCP system as a legal shield that you build and maintain continuously, not something you construct after a problem occurs. Every temperature log, every corrective action record, every training certificate, every annual review minute, every supplier audit record is a brick in that shield. To strengthen your position: ensure your HACCP plan is specific to your business, not a generic template; monitor CCPs at the documented frequency every single day, not just on days you expect an inspection; record corrective actions honestly - a culture of hiding problems is the biggest threat to your due diligence defence; train all staff and keep dated records of what they were trained on; review your plan at least annually and after trigger events; retain records for at least 12 months (the FSA recommendation), longer if possible; respond to EHO advice promptly and document your response; and treat customer complaints as valuable data, not threats. Consider engaging a food safety consultant for an annual external audit. Independent verification strengthens the "reasonable precautions" limb by demonstrating that you sought expert input. If you operate in a sector serving vulnerable groups (care homes, nurseries, hospitals), the standard of due diligence expected is higher because the consequences of failure are more severe. Your system must reflect this heightened duty of care.

What to do next

Stress-test your due diligence evidence

Imagine a food safety incident happened today. Could you produce your HACCP plan, the last 3 months of monitoring records, your corrective action log, staff training certificates, and your most recent review minutes within 30 minutes? If not, organise your documentation.

Check your records for gaps and inconsistencies

Review the last 3 months of temperature logs, cleaning records, and corrective action entries. Are there any days with no records? Any suspiciously perfect runs with no deviations? Address gaps and encourage honest recording.

Document your response to every EHO interaction

Keep copies of all EHO inspection letters, record what actions you took in response, and the dates you completed them. This builds a documented history of proactive compliance that strengthens your due diligence position.

Common mistakes to avoid

Mistake
Relying on insurance instead of due diligence
Instead
Public liability insurance covers compensation claims, not criminal prosecution. The due diligence defence is your protection against criminal liability. Insurance and due diligence serve different purposes - you need both.
Mistake
Assuming the defence only matters if something goes wrong
Instead
Your due diligence evidence is built through daily actions over months and years. You cannot construct it after an incident. The temperature log you completed this morning may be the evidence that protects your business next year.

Frequently asked questions

Does a due diligence defence guarantee I will not be convicted?

No. The defence must be proven by the business on the balance of probabilities. The court assesses whether your precautions were genuinely "all reasonable" and whether you truly exercised "all due diligence". A strong HACCP system significantly increases your chances of a successful defence, but the court examines the totality of the evidence.

Can a small business claim due diligence with just an SFBB pack?

Yes, if the SFBB pack is properly completed, maintained, and actively followed. The courts recognise proportionality. A small cafe with a well-maintained SFBB pack, complete diary entries, staff training records, and evidence of regular review can establish due diligence to the standard appropriate for its size and complexity.

How long should I keep HACCP records for due diligence purposes?

The FSA recommends at least 12 months. However, for due diligence purposes, keeping records for at least 3 years is advisable. Prosecutions can be initiated some time after an incident, and having historical records available strengthens your defence. Digital record-keeping makes long-term retention practical and cost-effective.

Does having a food safety consultant improve my due diligence defence?

It can help establish the "reasonable precautions" limb by demonstrating you sought expert advice. However, you cannot delegate the due diligence obligation entirely to a consultant. You must still follow the system they helped you create, maintain records, train staff, and review the system regularly. The consultant adds expertise; the daily implementation remains your responsibility.

Related articles

HACCP Regulations

HACCP Non-Compliance: Penalties, Enforcement & Prosecution

HACCP Regulations

EC Regulation 852/2004: The Legal Basis for HACCP in the UK

HACCP Audits & Reviews

How to Conduct an Internal HACCP Audit

HACCP Audits & Reviews

Reviewing Your HACCP Plan After a Food Safety Incident

Keep exploring

Related resources

How-To Guides

How to Create a HACCP Plan for Your Restaurant

Glossary

HACCP (Hazard Analysis Critical Control Points)Food Safety Management System (FSMS)

Expert Answers

Who Is Responsible for HACCP in a Restaurant?

UK Regulations

Regulation (EC) No 852/2004 on Food HygieneFood Hygiene (England) Regulations 2006

Paddl Features

Haccp

Compliance Risks

Prosecution for a Food Safety OffenceCustomer Gets Food Poisoning

Need expert help with your HACCP system?

Our hospitality consultants can review your HACCP plan, identify gaps, and help you build a system that satisfies EHO inspectors.

Talk to a consultant

Manage HACCP digitally

Paddl helps UK hospitality businesses automate haccp compliance. AI-generated plans, digital records, and inspection-ready documentation.

Start free trialSee HACCP features
HACCP & the Due Diligence Defence: How Your Plan Protects You | HACCP | Paddl | Paddl