12.10 Electronic Access Control (EACS)

Personal data held on the database of an access control system will be used for all or some of the following purposes:

  • control of access to and within the premises
  • control of egress from and within the premises
  • logging all controlled access and egress activity
  • logging unauthorised access attempts to restricted areas; and 
  • time and attendance verification

The personal data held by the system is limited to:

  • name of the user
  • employer
  • payroll or other identifying number or reference
  • photographic image
  • biometric data
  • vehicle registration; and/or
  • mobile phone number and email address

Access control biometric data (see section 12.5) must be converted into code at the point of capture and no biometric images retained or otherwise stored in the database. Furthermore, it should not be possible to recreate (i.e. reverse-engineer) the biometric data from code. For the avoidance of doubt, the advice of the manufacturer should be sought in relation to the data compliance of its processing methods. 

Access to EACS data shall be password protected and limited to the data controller, data manager and data processors on a need to know basis. 

The PC employed for the management of access control should be identified by controlled data storage device URN label. 

Right to be Informed – a statement of the purpose of the EACS (including time attendance verification if appropriate), should be included in contracts of employment and in Visitor Log entries signed by visitors and contractors. 

Consent  is not usually appropriate in an employment context for EACS because of the imbalance of power. One exception may be if the biometric entry system is optional and a less intrusive alternative is provided. Otherwise, the consent isn’t ‘freely given’ because the individual can’t access their place of work otherwise and so has no option except to consent if they want to do their job. Consent obtained on this basis isn’t legally valid.

Archive Retention – we recommend an archive retention period of 90 days, subject to there being a legal justification for keeping the data for a longer period (e.g. in the event of a legal dispute). 

Archive retention of data relating to incidents that are, or may be, the subject of investigation shall be until notification by the investigating body that the case is closed. Or in the absence of such notification for a period not exceeding 7 years. 

Privacy – access to personal data shall be password protected and managed on computer devices identified by unique reference numbers logged in a Controlled Data Register. 

Subject Access Request – refer to section 8.1.

Process – the following or similar process should be agreed between the landlord or managing agent with the security service provider, and included in the assignment instruction.

Any request for the use of the access control system which entails personal data being entered into a database should be in the form of a hard copy form or email, addressed to the person nominated by the data controller to manage the access control database.

The request should include the following information as appropriate:

  • name of organisation making the request
  • name of the person making the application
  • name of the proposed user
  • photo ID if appropriate
  • vehicle registration
  • a schedule of required access reader points and
  • any other required information

If the request is made by an organisation that is a tenant of the data controller, the tenant should sign a Data Sharing Agreement with the other data controller. The Agreement should recognise that personal data, belonging to the tenant’s staff, is being processed by the disclosing data controller and that the tenant may have access to activities relating to their staff being processed by the disclosing data controller’s system.

On receipt of the request the nominated person should:

  • inform the applicant whether or not it has been approved and
  • (if approved) inform the applicant that a token/card has been programmed and is ready for collection by the user


Database Audit – a routine request at an agreed interval should be made of the person responsible for managing access control, (tenant or head of department), to provide a schedule of current users which should be checked against the system database. Any discrepancies should be brought to the attention of the tenant or other party.

Lost Cards/Tokens – in the event of a loss being reported the card/token should be immediately deleted from the system and reported in the security service provider’s daily occurrence log.

  • in the case of biometric recognition inform the applicant that the user needs to attend to register their fingerprint and
  • the applicant or user must sign for receipt for the token/card. If biometric the registration process is recognised as formal receipt.