12.15 Key Register

Typically a paper type Key Register will show the name of the recipient and other personal data such as contact details. It is important that subsequent recipients cannot view previous recipients personal data, for this reason this type of log would not comply with GDPR.

It is recommended that some form of paper based log with a privacy sheet between entries is maintained. Alternatively an electronic asset management log could be employed.

Biometric Recognition System

Statement of Operational Process

[Name of data controller] has installed a [delete as appropriate – Fingerprint Recognition – Facial Recognition – Retina Scanning

Biometric data is converted into code at the point of capture and no biometric images are retained or otherwise stored in the database. Furthermore, it is not possible to recreate an image of the fingerprint from this code.

The personal data held by the system is limited to:-

Add/Delete as appropriate

  • name of the user;
  • employer;
  • payroll or other identifying number or reference;
  • photographic image;
  • biometric data;
  • vehicle registration; and/or
  • mobile phone number and email address

Purpose Personal data held on the database of the system will be used for:

Add/Delete as appropriate

  • control of access to and within the premises
  • control of egress from and within the premises
  • logging all controlled access and egress activity
  • logging unauthorised access attempts to restricted areas
  • time and attendance verification.

Security of AccessAccess to data shall be password protected and limited to the data controller, data manager and data processors on a need to know basis.

The PC employed for the management of access control is identified by controlled data storage device URN label

Right to be Informeda statement of the purpose of the biometric system. (including time attendance verification if appropriate), should be included in contracts of employment and in Visitor Log entries signed by visitors and contractors.

Consentconsent is not usually appropriate in an employment context for EACS and Time and Attendance Recording because of the imbalance of power. One exception may be if the biometric entry system is optional and a less intrusive alternative is provided. Otherwise, the consent isn’t ‘freely given’ because the individual can’t access their place of work otherwise and so has no option except to consent if they want to do their job. Consent obtained on this basis isn’t legally valid.

Archive RetentionTransactions recorded by the system will be retained for the duration of the users employment or visitors attendance on site and will be deleted within *90 days following the end of the employment or the authorised period of any visit.

*An archive retention period of 90 days is recommended, subject to there being a legal justification for keeping the data for a longer period (e.g. in the event of a legal dispute).

Archive retention of data relating to incidents that are or may be the subject of investigation shall be until notification by the investigating body that the case is closed or in the absence of such notification for a period not exceeding 6 years.

Privacyaccess to personal data shall be password protected and managed on computer devices identified by unique reference numbers logged in a Controlled Data Register.

Subject Access Request (SAR) Under data protection legislation individuals have the right to obtain confirmation, usually at no cost to themselves, that their data is being processed by the data controller and to receive copies of that personal data. In the case of surveillance and security systems this would typically be CCTV images or access control data.

Processthe following or similar process should be agreed between the landlord or managing agent with the security service provider and included in the assignment instruction.

Any request for the use of the access control system which entails personal data being entered into a database should be in the form of a hard copy or email addressed to the person nominated by the data controller to manage the access control data base.

The request should include the following information as appropriate:-

  • name of organisation making the request;
  • name of the person making the application;
  • name of the proposed user;
  • photo ID if appropriate;
  • vehicle registration;
  • a schedule of required access reader points; and
  • any other required information.

If the request is made by an organisation that is a tenant of the data controller the tenant should sign a Data Sharing Agreement with the other data controller. The Agreement should recognise that Personal Data belonging to the tenant’s staff is being processed by the Disclosing data controller and that the tenant may have access to activities relating to their staff being processed by the disclosing data controller’s system.

On receipt of the request the nominated person should:-

  • inform the applicant whether or not it has been approved; and
  • (if approved) inform the applicant that token/card has been programmed and is ready for collection by the User


  • in the case of biometric recognition inform the applicant that the user needs to attend to register their fingerprint; and
  • the applicant or user must sign for receipt for the token/card, if biometric the registration process is recognised as formal receipt.

Database Audita routine request at an agreed interval is made of the person responsible for man