
The turnstile access control system at the site gate doesn’t earn its place by stopping unauthorised access alone. It earns its place by sitting at the centre of a data flow that runs from pre-site induction through the rotor at the gate, through time and attendance, into payroll, into HMRC CIS monthly returns, and across to BREEAM workforce reporting. When the integration works, the principal contractor has one verified, auditable workforce record. When it doesn’t, the contractor has six spreadsheets that don’t agree with each other and an audit trail no one trusts.
Veritech Security designs, installs and integrates construction site turnstile access control across the UK. We don’t develop induction or workforce management platforms — we work with the platforms our clients already use, and we make sure the access control system feeds the right data into the right place. This article maps the UK integration landscape, names the platforms construction businesses actually run, and walks through the data flow that makes the whole thing work. It is deliberately vendor-neutral; what matters for the principal contractor is not which platform they pick but that the integration depth matches what they need to evidence.
A modern UK construction site access control deployment sits inside an ecosystem of adjacent systems. The named examples below are illustrative, not endorsements — the principal contractor should select on integration depth, contractual flexibility and price, not on brand recognition.
Workforce management platforms. End-to-end systems that handle pre-site registration, online induction, biometric access control, time and attendance, briefings, RAMS, labour requisitioning and reporting in a single product. The two best-known UK-construction-focused platforms are MSite (Liverpool, part of Infobric Group since 2021) and Biosite (Solihull, part of ASSA ABLOY Group since 2020). MSite operates on multi-decade UK construction contracts with names like Balfour Beatty, Morgan Sindall, Vinci, BAM, Lendlease and John Sisk; Biosite was founded in 2010 and was an early UK biometric access leader. Either platform handles the full chain from pre-arrival enrolment to payroll-ready time data.
Access control software. Where the workforce management platform isn’t end-to-end, or where the principal contractor wants a separate access control stack, a dedicated UK-built access control system sits between the credential readers and the workforce platform. Paxton Net2 (Brighton, 30+ years’ UK trading) is the UK’s most-deployed access control system, with the company’s own figures citing 150+ new buildings deployed every week. Net2 supports up to 1,000 doors and 50,000 users per system and integrates natively with biometric credential readers.
Biometric credential readers. Specialist hardware that captures the biometric and matches it against the enrolled template. ievo (Newcastle, founded 2010, part of CDVI UK) makes multi-spectral imaging fingerprint readers with IP65 weatherproofing — ievo’s own published figures cite that the company’s readers are integrated into Paxton Net2 as embedded biometric solutions, and that the readers have been used by a substantial majority of top UK construction companies historically. Suprema (global manufacturer, with UK distribution) makes face and fingerprint readers that integrate into Net2 and other platforms through certified integrations. The choice between fingerprint and facial recognition is covered in our biometric vs RFID article.
Construction accounting and CIS-aware payroll. Where the time and attendance data terminates is the payroll system, and on UK construction sites the payroll system has to handle CIS (Construction Industry Scheme) deductions, retentions, and the specific mechanics of paying subcontractors. Evolution Mx (Integrity Software, Lincoln, 40+ years’ UK trading) is the largest UK construction-specific accounting platform with HMRC-recognised CIS submission, used by over 1,000 UK construction businesses. Other UK construction-payroll software includes Eque2 Construct, COINS, and integrated modules within enterprise ERP systems.
BREEAM reporting platforms. Where the project is targeting BREEAM certification, workforce data — diversity, locality, training, hours, CO₂ — feeds reporting tools. BreeCS is a UK construction-site BREEAM compliance management tool that integrates with access control credential platforms. MSite’s own platform also produces BREEAM-ready reporting natively.
Fire alarm and emergency systems. The fire alarm integration that releases the turnstile on alarm activation, and the muster reporting that confirms accountability, are covered in detail in our fire alarm and muster reporting article.
The principal contractor will not deploy all of the above on every project. The pattern that matters: a single source of truth for workforce identity, with the access control system as the live verification point.
The journey starts before the worker arrives.
Pre-registration. The worker is invited (typically by their employing subcontractor, sometimes directly) to register on the project’s induction platform. They upload identity documents, CSCS card details, right-to-work documentation, training certificates, and any role-specific credentials. The platform validates these — automatically where possible, manually where needed. Right-to-work verification is a mandatory pre-condition for site access in the UK.
Online induction. The worker completes a site-specific online induction module covering the construction phase plan’s key safety information, project-specific hazards, emergency procedures, fire muster point, and any sub-induction layers (working at height, hot works, confined spaces). MSite, for example, offers automatic content translation into 30+ languages to handle linguistic diversity in the UK workforce.
Credential enrolment. On first day at site, the worker presents at the gate office. The induction record is checked. The biometric template (fingerprint or face) is captured on a desktop enrolment reader and linked to the worker’s induction record. RFID credentials (CSCS-style card, MIFARE DESFire smart card, or a project-issued credential) can be enrolled the same way.
Gate handoff. From that point forward, every rotor pass triggers a validation chain: credential read → lookup against the access control database → check induction status flag → check CSCS validity (often live via CSCS Smart Check) → check fire alarm interlock state → log the entry event.
If the worker arrives without completing online induction, the rotor stays locked. This is the cleanest enforcement mechanism the principal contractor has — it removes the awkward conversation about who has and hasn’t been inducted, and it eliminates the failure mode where a worker tailgates through with an inducted colleague.
The same rotor pass that evidences CDM 2015 compliance also produces the time and attendance record. The data flow has three legs.
Capture at the gate. Every entry and exit is timestamped against the worker’s verified identity. The system records: time in, time out, total time on site that day, subcontractor or employing entity, role/trade, and any breaks captured by exit-and-return events.
Pre-processing. The workforce platform applies rules: minimum shift length, lunch deductions, overtime thresholds, night-shift premium hours, weekend rates. Some platforms (MSite, Biosite, and their equivalents) apply these rules internally; others export raw clock-in/clock-out data and rely on the payroll system to apply the business rules.
Payroll handoff. The processed timesheet data feeds the payroll system either via a published API, via scheduled CSV export, or via direct database integration. In Evolution Mx terms (Integrity Software), this becomes a timesheet import and processing workflow that handles both employed (PAYE) workers and self-employed CIS subcontractors in the same flow. The same data drives subcontractor application authorisation, retentions tracking, and the CIS deduction calculation.
The principal contractor’s value capture here is significant — accurate gate data eliminates the disputes that arise when subcontractor invoices for hours that don’t match what the gate recorded.
The Construction Industry Scheme is a HMRC tax deduction regime that applies to virtually every UK construction project. Verified primary-source position:
Contractor verification of subcontractors. Before making the first payment under each contract, the contractor must verify the subcontractor with HMRC. HMRC returns one of three deduction rates: 0% (gross payment status), 20% (registered subcontractor), or 30% (unregistered subcontractor). Construction-specific accounting platforms (Evolution Mx and equivalents) handle this verification directly with HMRC via API.
Monthly CIS300 return. The contractor must file a monthly return to HMRC by the 19th of each month, detailing every subcontractor payment and the deductions applied. From 6 April 2026 — following the Autumn Budget 2025 announcement — contractors must either submit a nil return for any tax month with no subcontractor payments or, alternatively, submit an inactivity request in advance for known periods of no activity. The full late filing penalty regime has been reinstated alongside this change: £100 initial fixed penalty, escalating to £200 at two months, £300 (or 5% of liability if greater) at six months, and a further tax-geared penalty at twelve months. CIS-specific software files the CIS300 directly with HMRC and produces the payment and deduction statements that subcontractors require within 14 days of the end of the tax month.
Deduction mechanics. CIS deductions are calculated on the labour element of the payment, not the full invoice — genuine materials costs are excluded before applying the percentage. The contractor pays the deduction to HMRC by the 22nd of each month (electronic payment) or 19th (postal).
Deemed contractor threshold. A business not primarily in construction becomes a “deemed contractor” once its construction expenditure exceeds £3m (excluding VAT, materials and non-construction costs). Deemed contractors carry the same CIS obligations as mainstream contractors.
Where the access control integration earns its place in CIS: the gate-derived hours feed the labour-cost calculation that the CIS deduction is applied to. Accurate hours mean accurate CIS deductions, which means clean monthly returns and a defensible position if HMRC inspects. Inaccurate hours create both an under-deduction risk (HMRC clawback) and an over-deduction risk (subcontractor disputes).
The IR35 framework runs alongside CIS but isn’t the same thing.
The 2021 reform. From 6 April 2021, medium and large private-sector clients became responsible for determining the employment status of contractors operating through their own intermediary (typically a personal service company / PSC). The client must issue a Status Determination Statement (SDS) to the worker and any agency in the supply chain before the first payment.
The CEST tool. HMRC’s Check Employment Status for Tax tool is the official self-service status check. HMRC has stated it will stand by a CEST result provided the inputs accurately reflect the working arrangement. The tool considers factors including control (who decides how, when and where the work is done), substitution (whether the contractor can send a substitute), mutuality of obligation, financial risk, equipment provision, and integration into the client’s business.
Where the responsibility sits. For medium and large private-sector clients, the responsibility for the determination sits with the client. Small private-sector clients are exempt, and the responsibility stays with the worker’s intermediary. The “small” classification follows Companies Act thresholds — broadly, businesses meeting two or more of: turnover not exceeding the small-company threshold, balance sheet total not exceeding the small-company threshold, and average employee count under the small-company threshold. The Companies (Accounts and Reports) (Amendment and Transitional Provision) Regulations 2024 (SI 2024/1303) increased the turnover threshold from £10.2m to £15m and the balance sheet threshold from £5.1m to £7.5m for financial years beginning on or after 6 April 2025; the same thresholds apply for IR35 purposes from the 2026/27 tax year onwards. HMRC’s own estimate is that approximately 14,000 companies will reclassify as small as a result. The practical impact for IR35 purposes depends on the prior-year assessment and on transitional rules, so for many companies the actual IR35 transition lands in tax year 2027/28 rather than 2026/27 — finance teams should confirm the position for each contracting entity.
The IR35 / CIS interaction. Where a contract is determined inside IR35, PAYE applies — not CIS. The fee-payer (the client or agency immediately above the worker’s intermediary) operates PAYE deductions on the payments. CIS does not apply where IR35 takes precedence. Where the contract is outside IR35 and the worker is operating self-employed via a PSC, CIS may apply in the normal way.
This is where the access control integration intersects with status determination. The gate-derived data (how often the worker is on site, whether they have a regular pattern of work, whether they have access to the same areas as employees) feeds into the employment-status assessment. It is not the sole determinant — but it is corroborating evidence that the contractor’s working arrangement matches the contract documentation.
BREEAM Man 03 (“Responsible Construction Practices”) credits are awarded primarily through the Considerate Constructors Scheme (CCS), which BREEAM recognises as a compliant scheme. The CCS itself is organised into three sections — Community, Environment and Workforce — and the principal contractor’s score across these sections drives the Man 03 credit award. The Man 03 criteria also separately require monitoring of on-site energy use, water consumption and transport-related CO₂, and the appointment of a Sustainability Champion.
Beyond Man 03, separate BREEAM credits and adjacent social-value frameworks (BREEAM Wst, Tra, plus the wider Social Value Framework that many public-sector projects now mandate alongside BREEAM) require evidence around workforce locality, training, diversity and commuting impact. The access control system feeds the underlying data points used across all of this reporting:
MSite, Biosite and other workforce platforms produce CCS-ready and BREEAM-ready reports natively from this data. BreeCS as a dedicated BREEAM compliance management tool ingests the same data via integration. The integration earns its place by replacing the spreadsheet-driven approach to responsible-construction and social-value reporting with auditable, source-of-truth data — what specifically feeds Man 03 (via CCS sections) versus what feeds other BREEAM credits or the project’s wider social value commitments depends on each project’s BREEAM assessor scope.
Integration creates data-flow complexity that has UK GDPR implications. The principal contractor is the data controller for workforce data. Each integrated system — workforce platform, access control, payroll, BREEAM reporting tool — is typically a data processor under a written agreement (UK GDPR Article 28). Biometric data, where used for unique identification, is special category data under UK GDPR Article 9 and requires a separate lawful basis and a Data Protection Impact Assessment.
The detail on biometric data, processor agreements, and ICO guidance is in our biometric vs RFID article and our pillar guide.
Two patterns dominate in UK construction site access control integration.
Real-time API. Modern workforce platforms expose a published REST or webhook API. The access control system pushes events (entry, exit, validation failure) to the platform in near real-time; the platform pushes updates (new worker, induction completion, credential revocation) back. This is the cleaner integration but requires both sides to support it — and the principal contractor pays a per-event API cost in some commercial models.
Scheduled CSV / batch. Where API integration isn’t available or isn’t worth the price, both sides export and import scheduled CSV files. Less elegant, more brittle, but it works — and it’s still the dominant pattern at the budget end of the market. For a project that runs 18 months, CSV-based integration delivers most of the value at a fraction of the development cost.
The cost trade-off. API integration costs more upfront but reduces operational overhead. CSV integration costs less upfront but generates more support work — file format drift, scheduling failures, reconciliation. For a single project the CSV approach often makes sense; for a contractor with a long-term programme across many sites, API integration earns its keep.
Which UK induction platforms integrate with construction site turnstiles? The two most widely deployed end-to-end UK construction workforce platforms are MSite (Infobric Group, Liverpool) and Biosite (ASSA ABLOY Group, Solihull). Both handle pre-site registration, online induction, biometric access control and time and attendance natively. Standalone access control systems like Paxton Net2 (Brighton) integrate with separate induction platforms via API or CSV.
How does the turnstile feed CIS monthly returns? The turnstile captures verified hours against verified identity. The hours feed the labour-cost component of the subcontractor invoice. The CIS deduction (20%, 30% or 0% per HMRC verification) is applied to that labour cost. Construction-specific accounting software like Evolution Mx submits the monthly CIS300 return directly to HMRC. The turnstile data improves the accuracy of the labour cost, which improves the accuracy of the CIS calculation and reduces audit risk.
Does the turnstile help with IR35 status determination? Indirectly. The turnstile produces evidence about how the contractor actually works — frequency, hours, regularity, location of work — that corroborates or contradicts the contract documentation when an IR35 status determination is being made. The official determination is made via the HMRC CEST tool or equivalent assessment, and is documented in a Status Determination Statement issued to the worker before first payment.
Can the access control system handle both CIS subcontractors and PAYE employees? Yes. The credential and induction layer doesn’t differentiate. The differentiation happens at the payroll layer, where the same gate-derived hours feed PAYE for employees (and for IR35-inside contractors) and feed CIS deduction calculations for CIS-paid subcontractors. Construction-specific payroll software handles both flows in the same system.
What’s the integration pattern — API or CSV? Both are common in UK construction. API integration is cleaner but more expensive upfront; CSV/batch integration is brittle but cheaper. For long-running multi-site programmes API earns its keep; for single projects CSV often delivers enough value. The choice depends on the contractor’s IT capability and budget.
How does BREEAM reporting work with the access control data? Worker home postcodes (captured at pre-site registration), hours worked (from the access control log), training hours (from induction and briefings) and diversity data (self-reported at registration) feed multiple BREEAM credits and wider social-value reporting. BREEAM Man 03 (“Responsible Construction Practices”) credits are awarded primarily through the Considerate Constructors Scheme, which is organised into Community, Environment and Workforce sections — workforce platforms produce CCS-ready reports natively. Dedicated BREEAM compliance tools like BreeCS ingest the same data via integration. What specifically feeds Man 03 versus other BREEAM credits depends on each project’s assessor scope.
What about UK GDPR — who owns the data? The principal contractor is the data controller for workforce data on the site. Each integrated platform (induction software, access control, payroll, BREEAM reporting) is typically a data processor under a written UK GDPR Article 28 agreement. Where biometric data is used for unique identification it is special category data under Article 9 and requires a separate lawful basis plus a Data Protection Impact Assessment.
Which biometric readers integrate natively with UK access control software? ievo (Newcastle, part of CDVI UK) fingerprint readers are embedded directly into Paxton Net2 — ievo’s own marketing describes ievo as “the only biometric solution to be completely embedded into the market leading Paxton Net2 software”. Suprema (global manufacturer with UK distribution) integrates with Net2 via a separate certified integration. Several other biometric readers integrate via the Net2 API or via third-party middleware (Invixium IXM Link, BioConnect).
Veritech Security works with principal contractors, project managers, and construction businesses across the UK to design, install, integrate and manage construction site access control systems that protect sites throughout the full project lifecycle.
Our services relevant to integration include access control hardware specification, installation and commissioning; integration with online induction platforms (MSite, Biosite or equivalent); time and attendance integration with construction-specific payroll platforms (Evolution Mx, Eque2, COINS or equivalent); CSCS Smart Check integration for real-time card verification; biometric reader integration (ievo, Suprema and equivalent) with Paxton Net2 or other UK access control software; fire alarm interlock commissioning; SIA-licensed manned guarding to maintain integrity at the gate; and 24/7 remote monitoring with verified response protocols.
We hold SIA approved contractor status alongside ISO 9001, ISO 14001, Constructionline, SafeContractor, RISQS, Achilles, and Cyber Essentials accreditations — the credentials that principal contractors and their insurers expect to see.
If you have a construction project that needs a security solution, speak to Veritech before the plant goes on site.
Call: 0800 799 9800 (available 24/7) Email: info@veritech-security.com Or: request a site security consultation online.

Head Office
18-20 Millbrook Road East,
Southampton, Hampshire, SO15 1HY
Tel: 0800 799 9800
Email: info@veritech-security.com
Hours: Monday - Sunday: Open 24 Hours
© 2026 Veritech Security is a trading name of Veritech Systems Limited | Company Registration No. 07095234 | Social Responsibility Policy | Sitemap | Privacy Policy | Policies and Procedures | Veritech Systems Limited holds SIA approved contractor status for Security Guarding, CCTV and Keyholding security services.
Simply complete our quick survey below