12.11 Visitor Logging and Pass Badges
Personal data held on visitor logs and pass badges in either paper or electronic form will be used to:-
- enable identification of individuals authorised to be visiting the premises;
- inform visitors of health and safety policy; and
- establish a roll call of persons on site.
The personal data held is limited to:-
- name of the visitor;
- purpose of visit;
- photographic image;
- biometric data;
- vehicle registration; and
- mobile phone number and email address.
Right to be Informed – a statement of purpose, should be included in or on a sign adjacent to the Visitor Log. (see section 15 G7 & G8)
Consent – due to the lawful basis of this processing consent would not be required. The exception may be if biometric data is used as part of EACS as an optional alternative. Please see section 12.10 above for more information.
Archive Retention – the archive retention period is for the duration of a visitor’s attendance on site, thereafter any personal data shall be deleted within 90 days unless a longer archive period is justifiable and sanctioned by the data controller.
Archive retention of data relating to incidents that are or may be the subject of investigation shall be until notification by the investigating body that the case is closed or in the absence of such notification for a period not exceeding 6 years.
Privacy – access to previous visitors’ data must not be accessible by subsequent visitors.
In the case of paper based logs this is achieved by a privacy sheet between entries and the logbook will be kept in a locked enclosure secure from viewing by unauthorised persons when the visitor facility is unmanned. The data must be securely destroyed (shredded) at the end of the archive period.
Access to electronic visitor logs shall be password protected and managed on computer devices identified by unique reference numbers logged in a Controlled Data Register. The data must be deleted at the end of the archive period.
Process – the following or similar process should be agreed between the landlord or managing agent with the security service provider and included in the assignment instruction:
- Authorisation – where practicable, visitors and contractors must be either pre-booked by the host or confirmed by telephone.
- Pass Badge Issue – telephone the host to inform them of the arrival, assuming the host to be ready to escort the visitor, a badge should then be issued.
- Pass Badge Retrieval – on leaving site the visitor should hand in the pass badge, unless it is auto retrieved by the access control system and be booked off site. Any paper pass badges are to be shredded.
- Archive Management – unless otherwise instructed by the data controller any visitor log books shall be shredded at the end of the archive period following the last entry. Electronic visitor log archives should be auto deleted at the end of the archive period.