Build your access control around privacy by design
1) Be up-front and specific (transparency).
Give staff clear, layered information at the point of capture and in internal docs. Say what you collect (door events, any associated images), why (safety and security), who sees it (security/FM/HR in defined circumstances), how long you keep it, and how to exercise rights. The ICO’s surveillance guidance shows what good signage and notices look like; mirror that approach for doors and lobby cameras.
2) Pick a defendable lawful basis.
For standard door logs, legitimate interests is common; document your assessment and safeguards (e.g., no tracking beyond what’s necessary for security). If you intend to reuse logs for HR purposes (e.g., productivity), reassess: the legal and ethical bar is higher and may be inappropriate. The ICO’s monitoring-workers guidance exists precisely to keep you from sliding into “function creep.”
3) Do a DPIA early for higher-risk cases.
If you process special category biometric data, or you systematically monitor entrances (especially where staff might feel compelled), complete a Data Protection Impact Assessment before you buy hardware. The ICO expects this; it is your evidence trail that you assessed necessity, proportionality and risks, and that you chose mitigations (alternatives, short retention, access controls, training).
4) Minimise and set retention.
Collect what you need, not everything you can. Typical practice is to keep routine access logs for a defined, short period unless they’re needed for an incident. Automate deletion and document the policy; avoid “keep forever”. The same logic applies to camera footage linked to doors.
5) Engineer security, not surveillance.
Design your platform so it does its core job reliably—deterministic decisions at the door, event logging, safe release on fire alarm—without over-collecting. If your design adds cameras or microphones at entrances, justify each element. The ICO warns that audio capture is highly intrusive and generally unnecessary.
Biometrics in the workplace: do it right—or don’t do it
Biometric access can raise assurance (no card sharing) but is not a default choice. To pass legal and cultural tests:
- Evidence necessity and proportionality. Reserve biometrics for high-risk zones (e.g., data rooms, labs) where you can show why cards/PINs aren’t enough.
- Provide a reasonable alternative. Workers should not have to choose between handing over biometrics and getting paid or keeping their job. The ICO’s enforcement makes that point plain.
- Protect templates, not raw images. Store encrypted templates, restrict who can enrol/delete, log all admin actions, and purge promptly on leavers.
- Explain clearly. Staff should understand how their data is used, for how long, and what happens if they opt for the alternative path. The ICO’s biometric guidance is explicit on these points.
Worker expectations, remote work and fairness
The ICO stresses that monitoring must be fair and context-aware. People working from home often have a higher expectation of privacy; designs that might be acceptable on a staffed lobby can be excessive in domestic settings (e.g., always-on audio or broad video analytics). Keep access control firmly tied to its security purpose; avoid repurposing it as a tool for performance tracking.
Rights, requests and practical boundaries
- Subject access. Employees can request copies of their personal data—access events and any related images. Be ready to locate and extract records without disclosing others’ data. The ICO’s surveillance guidance offers practical approaches to video; apply similar care to door logs.
- Rectification & objection. Keep clocks/time-sync clean and fix mis-tagged credentials quickly. Where you rely on legitimate interests, be prepared to consider objections.
- No covert monitoring (except in rare cases). Covert monitoring is only justified in exceptional circumstances and for a strictly limited time—your DPIA and legal advice should explain why.
