Access Control for Apartment Buildings: A Practical Guide for Building Managers and Developers
Managing who can enter your building — and which areas they can access — is one of the most fundamental responsibilities a building manager or strata committee holds. Yet in many Australian apartment buildings, access control is still an afterthought: a mix of legacy key cylinders, duplicate fobs nobody can account for, and no way to know whether the contractor who finished work three months ago still has access.
Modern access control for apartment buildings is a system, not just a set of locks. It controls and logs entry to every layer of a building — entrance lobbies, car parks, lifts, common areas, plant rooms, roof access, and individual apartments where required. When planned correctly and integrated with the building's network infrastructure, it becomes one of the most operationally powerful tools available to a facilities or strata manager.
This guide covers everything you need to plan and implement access control in an Australian apartment building: credential types, IP-based vs traditional architectures, network requirements, intercom and CCTV integration, compliance obligations, and the common mistakes that create problems down the track.
What Access Control Means for an Apartment Building
Access control is the electronic management of who can open which door, at which time, and under what conditions. In a residential apartment context, that means:
- Building entrance doors — the primary perimeter, typically requiring a credential or visitor intercom interaction to enter
- Car park entry — vehicle access via boom gates or roller doors, often with pedestrian bypass doors requiring separate credentials
- Lift access — floor-by-floor lift control so residents can only access their own level and shared floors
- Common areas — pool, gym, rooftop terrace, mail rooms, and similar amenities
- Plant rooms and service areas — electrical switchrooms, communications rooms, water tanks, and roof access points that must be restricted to authorised personnel
- Individual apartments — less common in existing strata buildings but increasingly specified in new developments
The core function replaces traditional mechanical keys with electronic credentials. Unlike a key, a credential can be issued remotely, revoked instantly, and generates an audit log every time it is used. If a resident vacates without returning their fob, you deactivate it from the management software — the lock never changes.
The Four Access Credential Types
Key Cards and Fobs
Proximity cards and key fobs using RFID (Radio Frequency Identification) or smart card technology remain the most common credential type in Australian apartment buildings. They are reliable, low-cost per unit, widely understood by residents, and straightforward for building managers to issue and revoke.
Older proximity technology (125 kHz, such as EM4100 and HID Prox) is considered cryptographically weak and should not be specified for new installations. Modern installations should use high-frequency smart card formats (13.56 MHz, such as MIFARE DESFire or HID SEOS) which support encrypted communications between the credential and reader.
Mobile Credentials
Bluetooth Low Energy (BLE) and Near Field Communication (NFC) on smartphones are now standard specifications in new residential developments. The resident's phone replaces the physical card. Mobile credentials can be provisioned and revoked over the air without the resident needing to visit a management office.
From a building management perspective, mobile credentials reduce physical stock management and eliminate the issue of unreturned fobs. From a resident perspective, the phone becomes the single credential for the building — including intercom access and car park entry. The primary dependency is smartphone battery life, which most modern buildings address by retaining a physical card reader as a fallback.
PIN Codes
Numeric PIN entry is appropriate for lower-security access points where the credential holder volume is low and audit requirements are limited — bike cages, bin rooms, and secondary service entries are typical examples. PINs offer no identity attribution (anyone who knows the code can enter) and are unsuitable as the primary credential type for building perimeters or any area requiring an audit trail.
Biometric Credentials
Fingerprint scanners and facial recognition readers provide the strongest credential binding — the credential cannot be shared, loaned, or forgotten. Biometric systems are appropriate in high-security contexts such as data communications rooms, executive apartments, or secure car parks in mixed-use buildings.
However, biometric data is classified as sensitive information under the Privacy Act 1988 (Cth) and carries significant compliance obligations. Refer to the compliance section below before specifying biometric access control in any common or shared area.
IP-Based vs Traditional Access Control
The architectural choice between IP-based and traditional proprietary wired access control has long-term implications for cost, flexibility, and integration capability. The comparison below summarises the key differences.
| Factor | Traditional (Proprietary Wired) | IP-Based |
|---|---|---|
| Cabling infrastructure | Proprietary multi-core cable runs to each reader | Standard Cat6 structured cabling with PoE |
| Controller location | Centralised panels per floor or zone | Distributed — controllers at each door or small cluster |
| Management interface | On-premises server, vendor-specific software | Web-based or cloud software, accessible remotely |
| Vendor dependency | High — hardware and software tied to one vendor | Low — open protocols (OSDP, Wiegand) allow hardware mixing |
| Scalability | Adding doors requires new cable runs and panel capacity | Add a PoE switch port and enrol the new reader in software |
| Integration with other systems | Limited — typically proprietary API or none | Native integration with VMS, intercom, BMS via open APIs |
| Remote management | Requires on-site access or VPN to local server | Native cloud or web dashboard from any location |
For any new build or upgrade, IP-based access control is the correct specification. The cabling infrastructure (Cat6) is already present or being installed for data and CCTV, the management overhead is lower, and the system can be managed alongside the building's other IP-based security infrastructure.
Traditional proprietary systems are typically encountered during upgrades of legacy installations where the existing cable infrastructure would be prohibitively expensive to replace. In those cases, a hybrid approach — retaining existing panel wiring but adding an IP-connected management layer — can be a practical interim solution.
Network Requirements for IP Access Control
IP access control runs on the building's data network, which introduces specific requirements that must be planned before installation begins. This is the area where most access control installations in apartment buildings go wrong.
Dedicated VLAN Segmentation
Access control must operate on a dedicated VLAN (Virtual Local Area Network), isolated from resident internet services, building management systems, and other network segments. The reasons are:
Security: A resident on the building Wi-Fi network should have no path to the access control system's IP address range. If the access control system shares a network segment with resident devices, a technically capable resident could attempt to probe or interfere with door controllers.
Reliability: Access control must remain operational regardless of internet outages, ISP disruptions, or heavy resident network load. A dedicated VLAN with a managed switch configuration ensures the access control system has guaranteed bandwidth and is not affected by network events on other segments.
Audit integrity: Separating the access control VLAN from other building systems prevents any ambiguity about which devices generated which network traffic, which is relevant if access logs are ever reviewed as part of an incident or dispute.
For a detailed treatment of VLAN architecture in apartment buildings, refer to Pickle's guide on VLAN network segmentation.
Cabling and Power Infrastructure
IP access control readers and door controllers are powered via Power over Ethernet (PoE), which means a single Cat6 cable to each reader location carries both data and power. This simplifies installation compared to traditional systems requiring separate power runs.
Infrastructure requirements:
- Cat6 or Cat6A horizontal cabling from communications room to each reader location
- PoE-capable managed switches in the building's communications rooms — typically IEEE 802.3af (15.4W per port) for standard readers, 802.3at (30W) for heated readers or multi-technology readers with displays
- Managed switches are mandatory — unmanaged switches cannot be configured for VLAN membership, QoS, or port security
- Surge protection on exterior door reader cabling in exposed locations
See Pickle's article on network requirements for access control for a detailed infrastructure specification.
Backup Power
Access control must operate during mains power outages. BCA Section D — Exit requirements mandate that egress paths must not be obstructed, which means access-controlled fire doors must either fail-safe (unlock on power loss) or be connected to emergency power. The practical requirement for most buildings is an uninterruptible power supply (UPS) on the access control network switches and door controllers, sized to provide a minimum of four hours of run time. This is not optional — it is a life safety requirement.
Integration with Intercoms and CCTV
A standalone access control system logs who enters and exits but does not provide context for the visitor experience or visual verification of events. Integration with intercom and CCTV systems creates a unified security platform.
The Visitor Flow
In a correctly integrated building security system, the visitor experience works as follows:
- Visitor arrives at the building entrance and locates the resident's apartment on the intercom panel
- The intercom dials the resident's handset or mobile app
- The resident views a live camera feed of the entrance on their handset or app (fed from the entrance CCTV camera)
- The resident speaks with the visitor and, if appropriate, presses a button to release the entrance door
- The access event is logged in the access control system with a timestamp, the apartment that granted access, and a linked camera clip from the entrance camera
This integration eliminates the need for the resident to guess who is at the door from audio alone, provides an auditable record of every visitor access, and creates a deterrent against tailgating because the entrance is visually documented.
System Integration Requirements
For this integration to function, all three systems — access control, intercom, and CCTV — must be on compatible platforms with open integration APIs, and they must be on properly segmented but interconnected network infrastructure. The access control VLAN, CCTV VLAN, and intercom VLAN each maintain their own isolation but communicate through a managed firewall with defined, restrictive rules.
For CCTV network architecture detail, refer to Pickle's guide on CCTV network design, and for intercom integration specifics, see the article on IP intercom systems.
Australian Compliance Considerations
Privacy Act 1988 (Cth) — Biometric Data
Biometric data — including fingerprints, facial geometry, and the templates derived from them — is classified as sensitive information under the Privacy Act 1988 (Cth). The Australian Privacy Principles (APPs) require that sensitive information may only be collected with the individual's consent, unless a specific exception applies.
For apartment building access control, this has practical implications:
- Biometric access control in common areas (entrance lobbies, car parks, lifts) requires informed written consent from each resident or regular user
- A Privacy Collection Notice must be provided at the point of collection, explaining what data is collected, how it is stored, and how it is used
- Biometric templates must be stored securely, and the data management policy must address retention periods and destruction of data when a resident vacates
- The Bunnings/Kmart facial recognition decisions (2024–2025) confirmed that widespread deployment of facial recognition without consent constitutes a serious interference with privacy under Australian law, even where the intent is security-related
Biometric access control remains appropriate for high-security, controlled-access areas (communications rooms, secure plant rooms) where access is limited to staff who have provided informed consent. It is not appropriate as a general-population credential in common areas of residential buildings without robust consent and data governance frameworks in place.
For biometric deployments, a Privacy Impact Assessment (PIA) conducted before implementation is strongly recommended.
Strata Legislation — Common Area Access Rights
Strata legislation in each Australian state and territory confers rights on lot owners and residents regarding access to common property. In New South Wales, the Strata Schemes Management Act 2015 establishes that owners corporations must not unreasonably restrict a resident's ability to access their lot or reasonable common areas.
This means an access control system must:
- Ensure every resident is provided with a functioning credential for all areas they are entitled to access as a matter of course — access should not be contingent on administrative delays
- Provide a clear and documented process for issuing replacement credentials within a reasonable timeframe when credentials are lost or fail
- Not use access logs as a basis for restricting resident access without proper legal process
Strata regulations differ between states. Queensland operates under the Body Corporate and Community Management Act 1997; Victoria under the Owners Corporations Act 2006. The strata manager should be consulted when drafting the access control policy for any scheme.
Building Code of Australia — Fire Egress
Section D of the Building Code of Australia (BCA), now incorporated into the National Construction Code (NCC), governs exit requirements and means of egress. Any door on a required exit path — stairwell doors, exit lobby doors, car park exit pedestrian doors — must comply with fire egress requirements.
The key compliance obligation for access control is that doors on required exit paths must fail-safe in the unlock position on loss of power or on fire alarm activation. Access-controlled fire doors must be connected to the fire indicator panel (FIP) so that a fire alarm signal releases all relevant doors. This integration must be reviewed and signed off by the building's fire engineer.
Common Mistakes in Apartment Building Access Control
Installing Access Control Without Network Planning
The most frequent and costly mistake is treating access control as a standalone system independent of the building's network infrastructure. Installers who specialise in access control hardware but not network architecture often connect controllers directly to whatever network port is available — which may be the resident internet segment, an unmanaged switch, or a shared building services network.
The consequence is a system that either creates security exposure (residents can reach access control devices) or behaves unreliably (network congestion or ISP outages affect door operation). Fixing this after installation requires recabling or reconfiguring the network, both of which are disruptive and expensive.
The correct sequence is: network design first, then access control installation. The access control VLAN must be specified, the managed switches must be configured, and the IP address scheme must be finalised before a single access control device is powered on.
No Backup Power
As covered above, UPS protection for access control infrastructure is a life safety requirement under the BCA, not an optional upgrade. Buildings that install IP access control on PoE switches without UPS protection will lose door control during any power event — including the building power outages most likely to coincide with emergency evacuations.
Proprietary Vendor Lock-In
Specifying a closed, proprietary access control platform — where the hardware, software, and ongoing management can only be performed by a single vendor — creates long-term cost exposure. If the vendor increases service fees, discontinues the product line, or provides poor support, the building has no practical alternative other than a full system replacement.
Open-protocol systems using OSDP (Open Supervised Device Protocol) or published API integrations allow hardware from multiple manufacturers to operate together and give the building owner the flexibility to change management software or service providers without replacing physical infrastructure.
No Audit Log Retention Policy
Access control systems generate timestamped logs of every credential use, door event, and system action. These logs are operationally valuable for investigating incidents and resolving disputes. However, retaining them indefinitely creates privacy obligations under the APPs — particularly if the logs are associated with individually identifiable residents.
The building should establish a written log retention policy specifying how long access logs are retained (30–90 days is typical for routine events; longer retention may be appropriate for incident-flagged events), who can access them, and how they are destroyed when the retention period expires. This policy should be disclosed to residents as part of the building's privacy documentation.
Managing Access Credentials Day-to-Day
The operational value of an access control system depends on how well credentials are managed over time. A poorly administered system — where former residents retain active credentials, tradespeople have permanent access, and nobody knows which fobs are in circulation — provides only the illusion of security.
Resident Lifecycle Management
At move-in, the building manager or strata manager issues the new resident's credentials and documents which credential identifiers (card numbers, mobile credential IDs) are assigned to which lot. At vacate, those credentials are deactivated in the management software — ideally on the same day keys are returned.
Cloud-based access control management platforms allow this to be done remotely without requiring a visit to the site's server room. A building manager managing multiple properties can handle credential administration across all buildings from a single interface.
Contractor and Tradesperson Access
Tradespeople working in a building need access to relevant areas during their engagement but should not retain that access indefinitely. Best practice is to issue temporary credentials with a defined expiry date — the credential automatically deactivates at the end of the contractor's access period. This eliminates the need for the building manager to remember to revoke access manually.
For high-sensitivity areas (communications rooms, electrical switchrooms), contractor access should be logged and reviewed periodically to confirm the access record is consistent with the building's maintenance schedule.
Lost Credentials
When a resident reports a lost fob or card, the credential is immediately deactivated in the management software and a replacement is issued. Because the old credential identifier is deactivated — not the physical lock cylinder reprogrammed — this process takes seconds and has no impact on other residents. This is one of the most operationally significant advantages of electronic access control over traditional keying.
Questions to Ask Before You Specify an Access Control System
Before engaging an access control provider, building managers and developers should be in a position to answer — or require answers to — the following questions.
Q: Does the system run on standard IP network infrastructure, and can it be isolated on a dedicated VLAN?
A: Yes should be the only acceptable answer. Any system that requires proprietary cabling or cannot be placed on a dedicated VLAN should not be specified for a new or upgraded installation. The inability to VLAN-isolate access control is a security and reliability risk.
Q: What happens to door operation when the internet goes down, or when mains power is lost?
A: The system must maintain local door control (from an on-site controller or panel) when internet connectivity is unavailable, and must maintain power from a UPS during mains outages. If a vendor cannot clearly answer both halves of this question, the system's resilience is not fit for purpose in a residential building.
Q: Is the system open-protocol, and can a different service provider take over management without replacing hardware?
A: The building owner should be able to change service providers without replacing door hardware. If the answer is no, the building is committing to that vendor indefinitely. Insist on open-protocol hardware (OSDP readers, open API management software) and confirm this contractually.
Q: How is biometric data stored, and what is the process for deleting it when a resident vacates?
A: If biometrics are being considered, the vendor must be able to describe where templates are stored (on-device or in a cloud database), how they are encrypted, and what the deletion process is. This information is required to construct a compliant privacy policy for the building.
Q: How does the system integrate with the building's intercom and CCTV systems?
A: Integration should be via documented, open APIs — not via a proprietary bridge device that ties you to a single vendor ecosystem. Confirm that the intercom and CCTV platforms are on the vendor's published integration list and that door release from the intercom handset is a native function, not a workaround.
Frequently Asked Questions
Q: Can residents use their phones instead of key cards in an existing building?
A: Yes, in most cases. Modern access control readers support both smart card credentials and mobile credentials (Bluetooth/NFC) simultaneously. A building that already has IP-based access control can typically add mobile credential support through a software licence upgrade and reader firmware update, without replacing door hardware. Buildings with older proximity card readers will require reader replacements, but the back-end controller infrastructure often remains serviceable.
Q: How long does it take to implement access control in a mid-sized apartment building?
A: A building of 50–120 apartments with standard access points (building entrance, car park, two or three common area doors, lift control) typically takes four to eight weeks from confirmed design to practical completion. This includes the time required for the network design sign-off, cabling installation, hardware commissioning, and resident credential enrolment. Buildings with more complex integrations or heritage cabling constraints will take longer.
Q: Do access control logs have to be shared with strata committee members?
A: Access logs are building operational data, and the owners corporation has a legitimate interest in them for security and incident management purposes. However, logs that identify individual residents' movements should be treated as personal information under the Privacy Act and accessed only by those with a legitimate management need — typically the strata manager and building manager, not the full committee. The building's privacy policy should specify who has access to logs and under what circumstances.
Q: What is the difference between fail-safe and fail-secure door hardware, and which should be used where?
A: Fail-safe means the door unlocks when power is removed — the safe state is open. Fail-secure means the door locks when power is removed — the safe state is closed. Doors on required fire egress paths must be fail-safe or connected to emergency power, so that a power failure or fire alarm always results in the exit being available. Doors to secure plant rooms, communications rooms, or storage areas are typically fail-secure — a power failure should not result in those areas becoming open to any passer-by. The building's fire engineer should confirm which configuration applies to each access-controlled door.
How Pickle Approaches Access Control in Apartment Buildings
Pickle designs and installs IP-based access control systems as part of an integrated building technology solution — not as a standalone product. Because Pickle also manages the building's network infrastructure, the access control VLAN is designed and configured alongside the resident internet, CCTV, and intercom networks from the outset, not retrofitted after the fact.
This means:
- Access control is isolated on a dedicated, properly configured VLAN from day one
- PoE switching infrastructure is specified and installed to the correct standard for access control reliability
- Integration with IP intercom and CCTV systems is native — all three platforms are on compatible infrastructure managed by one team
- Credential administration is handled through a cloud management platform, allowing remote issuance and revocation without site visits
- Backup power (UPS) is included in the building technology specification as standard
For building managers dealing with a legacy system that needs upgrading, or developers specifying technology for a new build, Pickle can provide a technology design that addresses access control, networking, CCTV, and intercoms as a coherent system rather than a collection of separate contractor scopes.
For more on how building cybersecurity fits into this picture, see Pickle's article on building cybersecurity.
To discuss access control planning for your building, contact the Pickle team on 1300 688 588 or email [email protected].