Access Control Records: What UK Businesses Must Keep

Access control systems — electronic door entry, key fob systems, swipe cards, PIN pads, and biometric readers — are now standard in UK commercial premises. But the records generated by these systems, and the obligations around maintaining them, are frequently overlooked. For businesses subject to security vetting, insurance requirements, or regulatory inspection, inadequate access control records can create serious problems.

Why Access Control Records Matter

Access control records serve several distinct purposes. They provide an audit trail showing who entered which areas and when — essential evidence in the event of theft, vandalism, data breach, or personal injury. They demonstrate to insurers that the premises are properly secured. They support compliance with data protection obligations where access to areas containing personal data is controlled. And in regulated environments — data centres, pharmaceutical facilities, critical national infrastructure — they may be required by the relevant regulatory body.

What Records Should Be Maintained?

A comprehensive access control logbook or register should include a list of all persons authorised to access the premises and each controlled area within it, the credentials issued to each person — card number, fob reference, or biometric record — the date credentials were issued and the access level granted, any changes to access rights and the date and reason for each change, and the date credentials were withdrawn or deactivated when a person leaves or changes role.

System-generated access logs — the electronic record of every entry event, typically showing credential, door, date, and time — should be retained separately from the administrative register. These logs provide the detailed audit trail that matters most in the event of an incident.

Retention Periods for Access Control Data

Access control logs contain personal data — specifically, records of where named individuals were at particular times. Under the UK GDPR, this data must not be retained for longer than necessary for the purpose for which it was collected. For most businesses, retaining access logs for between 30 and 90 days is proportionate and sufficient for security purposes. For higher-risk environments or where access logs may be relevant to ongoing investigations, longer retention may be justified and should be documented.

Administrative records — the register of authorised persons and credentials — should be retained for as long as the access control system is in operation, plus a reasonable period for audit purposes.

Biometric Access Control

Where access control uses biometric data — fingerprints, facial recognition, retinal scans — the data protection obligations are significantly more stringent. Biometric data is special category data under the UK GDPR, requiring explicit consent or another specific legal basis for processing. A Data Protection Impact Assessment must be documented before deployment. Records of consent and the DPIA must be retained.

Leavers and Credential Revocation

One of the most important access control record-keeping disciplines is the prompt revocation of credentials when a person leaves the organisation or changes role. The record must show that credentials were deactivated on or before the person's last day of authorised access. Failure to revoke access credentials promptly is both a security risk and a potential data protection breach — and the absence of records demonstrating timely revocation is a red flag in any security audit.

Key Takeaways

• Access control registers must record all authorised persons, credentials issued, access levels, and changes to access rights.
• System-generated access logs must be retained — typically for 30 to 90 days — and the retention period documented.
• Biometric access control requires explicit consent, a DPIA, and significantly more stringent record-keeping.
• Credential revocation records must show that access was withdrawn promptly when individuals leave or change role.
• Access control records are key evidence in theft, data breach, and personal injury investigations.