Sign in Subscribe

Key Register: Legal Requirements and Best Practice for UK Businesses

Jamie Dawson

2 min read
Key Register: Legal Requirements and Best Practice for UK Businesses

Physical key management is one of the most overlooked aspects of premises security in the UK. While businesses invest heavily in electronic access control and alarm systems, the humble key register — the record of who holds which keys and when they were issued — is often absent or inadequate. The consequences can be severe: insurance claims refused, criminal liability for negligence, and in regulated environments, enforcement action from inspectors.

Why a Key Register Is Essential

A key register provides a complete audit trail for every physical key that gives access to your premises, vehicles, safes, or sensitive areas. Without one, it is impossible to demonstrate to an insurer that keys were properly controlled following a break-in. It is impossible to know which former employees still hold keys after leaving. And it is impossible to identify who had access to an area where a theft or security incident occurred.

Many commercial insurance policies contain conditions requiring key security. Failure to maintain a key register — and to demonstrate proper key control — can provide insurers with grounds to reduce or refuse a claim following a break-in.

What a Key Register Must Contain

A proper key register should record each key by a unique reference number, the lock or area it provides access to, the date the key was cut or issued, the full name of the current holder, the date the key was issued to the current holder, the date the key was returned, and the signature of the person receiving and returning the key.

The register should also record the total number of keys cut for each lock, so it is always possible to verify that all keys are accounted for. Any key that cannot be accounted for should trigger a security review and potentially a lock change.

Master Keys and High-Security Keys

Master keys — keys that open multiple locks — require especially rigorous record-keeping. The loss of a master key is a serious security event that may require all affected locks to be changed. The register must clearly identify every master key by a unique reference, record all persons who have ever held it, and record any instances of loss or suspected compromise.

For high-security environments, a separate master key log maintained by a designated key custodian is best practice. Access to master keys should be limited to the minimum number of persons required.

Key Handover on Departure

One of the most common failures in key management is the failure to recover keys when employees leave. The key register must record the return of all keys on or before an employee's last working day. Where keys are not returned — because they are lost or the employee fails to surrender them — the incident must be recorded and a risk assessment carried out to determine whether locks should be changed.

Retention of Key Register Records

Key register records should be retained for at least five years. In the event of a security incident, records going back further may be relevant — particularly where litigation or insurance claims involve questions about key control at a specific historical date.

Key Takeaways

  • A key register must record every key by unique reference, the lock it accesses, the current holder, issue and return dates, and signatures.
  • The total number of keys cut for each lock must be recorded so all keys can be accounted for at any time.
  • Master keys require especially rigorous records — their loss may require all affected locks to be changed.
  • Keys must be recovered and the register updated on or before an employee's last working day.
  • Insurance policies often contain key security conditions — inadequate key records can give insurers grounds to refuse claims.
  • Key register records should be retained for at least five years.

Sign up for more like this.

Enter your email
Subscribe