Australian compliance guide
Access-control projects can involve security licensing, electrical and building work, emergency egress, fire doors, accessibility, workplace practices and personal information. No web page can certify a design as compliant in every property. Use current official sources and obtain advice appropriate to the site and organisation.

Check current security-licensing requirements
NSW Police currently describes Class 2C Security Equipment Specialist as covering sale, installation, maintenance, repair, service and advice relating to security equipment. Businesses providing licensed security operatives may also need the appropriate Master licence.
Victoria Police states that security equipment installer is a licensed private-security activity and includes electric, electro-mechanical, magnetic and biometric access-control devices in its current description of security equipment. Victorian individual and business licensing arrangements changed from June 2025, so use the current register and guidance rather than relying on an old licence card or article.
These summaries are not legal advice. Check the scope, status and activities of the people and business proposed for the work through the relevant police licensing authority before engagement.
Govern access records and personal information
Named credentials, event logs, visitor records, mobile accounts, photographs and video associations can be personal information. Establish why the data is collected, who may see it, how it is secured, how long it is retained and how access or correction requests are handled.
Do not quietly reuse door events for attendance, performance monitoring or unrelated investigations. A credential event records a system transaction; it may not prove that the authorised holder was the only person who entered or remained onsite.
Treat biometrics as a separate decision
OAIC guidance identifies biometric information used for automated biometric verification or identification, and biometric templates, as sensitive information under the Privacy Act framework. Sensitive information receives additional protections.
Before considering fingerprint or facial recognition, document necessity, proportionality, less intrusive alternatives, notice, consent or other authority, security, retention, deletion, overseas handling and incident response. Provide a workable alternative for authorised people who cannot or should not use the biometric method. Obtain organisation-specific privacy and workplace advice.
Access control does not override building and egress duties
Electronic locking, request-to-exit, emergency release and power-failure behaviour must be assessed for the actual opening. Fire-rated doors, required exits, automatic doors, lifts and accessible paths can involve building approvals and specialist contractors.
“Fail safe” and “fail secure” only describe how a lock responds when electrical power is removed. Neither term proves that an opening satisfies fire, egress, disability, workplace or emergency requirements.
Map the information lifecycle
| Information | Purpose to define | Governance questions |
|---|---|---|
| Identity and credential record | Issue an individual the approved access authority. | What is necessary, who approves it, where is it sourced, and when is it removed? |
| Door event history | Operate, investigate and maintain the security system. | Who may search it, how long is it useful, when is it deleted, and how are requests handled? |
| Visitor information | Coordinate a temporary visit and authorised host. | Is identification proportionate, who sees it, and does it flow to another service? |
| Photograph or biometric template | Support a specifically justified identity workflow. | Is sensitive information being created, is consent meaningful, is there a less intrusive option and what alternative is offered? |
| Video linked to access events | Verify or investigate a defined security event. | Are access and CCTV retention, permissions, notice and export controls aligned? |
| Administrator activity | Provide accountability for permission and configuration changes. | Are logs protected, reviewed and retained long enough for the identified risk? |
This table is a scoping aid, not legal advice. Privacy Act coverage, workplace obligations, surveillance rules, records duties and consent requirements depend on the organisation, jurisdiction and use. Obtain qualified review before deployment, especially for biometrics or monitoring beyond ordinary door operation.
Information for a compliance review
- Approved plans, door schedule and known fire-door information
- Normal, after-hours and emergency user journeys
- Lock function, exit hardware, power and battery arrangements
- Fire, lift, automatic-door and gate interfaces
- Credential, visitor, mobile and biometric data flows
- Administrator roles, retention and incident procedures
- Security installer and business licence activities
- Relevant building, electrical, fire, privacy and workplace advisers
Licensing and privacy questions
How can a customer check a security licence?
Use the current NSW Police SLED or Victoria Police private-security register and confirm that the holder’s status and licensed activities suit the proposed work.
Does a business need consent to use biometrics?
The answer depends on the organisation and context. Biometrics are sensitive information; obtain current, organisation-specific privacy and workplace advice before collection.
Are access logs time-and-attendance records?
Not automatically. They record credential and system events and may not prove the person’s continuous presence. Any attendance use needs deliberate design and governance.
Can an installer declare every fire door compliant?
No generic declaration is appropriate. Relevant doors and modifications require site-specific assessment by appropriately qualified professionals.
How often should this guidance be reviewed?
Review before publication, at least when relevant law or official guidance changes, and whenever the organisation changes technology, purpose or data handling.
Sources and further reading
- NSW Police SLED: Class 2 licence subclasses — accessed 12 July 2026
- Victoria Police: Private security and licensed activities — accessed 12 July 2026
- OAIC: Australian Privacy Principles guidelines — accessed 12 July 2026
- OAIC: APP Guidelines, key concepts and sensitive information — accessed 12 July 2026
This page provides general information and is not legal, privacy, building, fire or workplace advice.
Plan the project with the right reviewers
Serious Security can assess the security-system scope. Building, fire, electrical, privacy, workplace and legal matters should be reviewed by the appropriate professionals.


