Royal Canadian Mounted Police
Symbol of the Government of Canada
Skip to content | Skip to institutional links

Common menu bar links

Home > LSA for Physical Security > Publications > G1-006 Identification Cards / Access Badges  

G1-006 Identification Cards / Access Badges

Physical Security Guide
Lead Agency Publication   G1-006

Issued: June 1992
Revised: July 2006

Table of Contents

 

1.  Introduction

The Government Security Policy (GSP) states the requirements for protecting government personnel, assets, information and operations. Threats in both Canada and abroad including violence toward employees, unauthorized access, theft, fraud, vandalism and other malicious activity could be minimized or prevented completely if individuals with malevolent intent are not able to gain access to government sites. Similarly, it is vital to government operations that its personnel and other authorized individuals are able to reflect their status through an identification process which merits the confidence of both the public and private sectors.

Transnational criminal activity, foreign intelligence activities and terrorism continue to evolve as the result of changes in the international environment. Accordingly, governments and organizations around the world are moving towards more robust access control solutions in an effort to mitigate ever increasing threats. This security guide complements, and should be read in conjunction with, other lead agency documents such as RCMP Guide G1-024 - Control of Access and the GSP standards, notably the Operational Security Standard on Physical Security. In accordance with Sections 10.1, 10.8 and 10.11 of the GSP, and the Operational Security Standard – Readiness Levels for Federal Government Facilities, this physical security guide provides information and advice to meet the baseline physical security requirements with respect to identification cards and access badges.

While baseline requirements are designed for common types of scenarios, some departments/organizations may face different threats because of the nature of their operations, their location and/or the attractiveness of their assets. Examples include police or military establishments, health services, laboratories, sensitive research facilities, museums, service counters, offices in high-crime areas and overseas facilities. Such entities may require more stringent security measures based on the results of a Threat and Risk Assessment (TRA).

2.  Scope and Application

All government employees must be issued an identification card which, as a minimum, includes the name of the department/organization, the bearer's name and photo, a unique card number and an expiry date. In addition, access badges indicate authorization status for employees, visitors, contractors, service personnel, etc. who have a demonstrated need or “affiliation” with the department/organization and clearly identifies them as an employee or a non-employee. This guide provides direction on how to meet these minimum requirements and is supplemented by relevant technical criteria, suggestions, examples, best practices and other measures.

This guide outlines the primary requirements for both identification card and access badge systems (manual and machine-aided or automated). It also identifies security concerns that must be addressed in the development, selection, implementation and administration of any identification card or access badge system. Further, this document provides minimum1 card and badge system guidelines for departments/organizations that have determined a requirement for an access control system.

This document also provides information to assist departments/organizations in the application of Treasury Board Secretariat’s Operational Security Standard - Readiness Levels for Federal Government Facilities when related to the requirements of control of access procedures and identification cards.

3.  Definitions

Access badge (Insigne d’accès) - a document issued by a department/organization to show the zone or facility/complex to which the bearer has authorized access2. It should not be confused with an identification card as it serves different purposes and may have a different appearance.

Affiliation (Membre affilié) - departments/organizations may issue ID cards or access badges in order to define the affiliation of other categories of individuals to the organization. For example, students, volunteers or Ministerial staff.

Employee (Employé) - an individual employed by the government department/organization in question on an indeterminate, term, secondment or casual basis.

Identification card (Carte d’identité) - a document issued by the department/organization to identify the bearer. It should not be confused with an access badge as it serves different purposes and may have a different appearance.

Individual under contract (Travailleur contractuel) - an outside worker (i.e. not an employee) including contractors, tradespersons, consultants and agency employees who may or may not be screened, depending on the extent of work and access required.

Visitor (Visiteur) - an individual who does not work for the government department/organization occupying the host facility/complex, but has some legitimate reason for being on the premises and a need to be processed by the control of access system in place.

4.  Control of Access Procedures

The effectiveness of control of access is enhanced when employees can be readily distinguished from other persons who might be on the premises. To accomplish this, a procedure must be in place to permit quick and effective verification that affiliates, employees, individuals under contract and visitors have been processed through the control of access. This is normally accomplished by one of the following methods:

  • personal recognition (in the case of smaller facilities);
  • identification cards and/or access badges;
  • administrative procedures;
  • escorts; and
  • mechanical systems.

While the method of controlling access based on personal recognition is an accepted strategy under certain circumstances, caution should be used when relying on it as the sole method. Also, this method of controlling access does not remove the requirement of the department/organization from issuing identification cards to employees. For further information on access control please refer to the RCMP’s Physical Security Guide G1-024 “Control of Access”.

5.  Card Types

This document examines the following card types:

  • identification cards;
  • access badges (electronic and non-mechanical); and
  • combination cards.

5.1  Identification Cards

5.1.1  General

The commonly accepted method of identifying personnel as employees or representatives of a department/organization is by the use of identification cards. Employees should carry them at all times. Identification cards must only be issued to individuals who have met the screening requirements of the Treasury Board Secretariat’s Government Security Policy (GSP). This procedure must be completed prior to individuals starting their work-related duties. Only one employee identification card must be issued at any one time unless a TRA recommends otherwise.

Departments/Organizations needing to issue identification cards to persons not fitting the traditional definition of an employee (i.e. a student, volunteer or contract worker) may optionally use an “affiliation” field. This field would identify the classification of the employee and ensure its verifiability during a visual examination. A solid or patterned line border may be used with the photo to further identify affiliation. The border must not obscure the photo.

5.1.2  Physical Characteristics

As a minimum, an identification card must contain the individual's name, colour photograph or digitized image, the name of the issuing department/organization, date of expiry (maximum five years from date of issue) and a number unique to the card. A department/organization considering additional information fields must ensure each item is justifiable under existing Human Rights and Privacy Act legislation, i.e., there must be a justified need for the inclusion of details such as employee height, weight, hair colour and date of birth. It is not permissible for an identification card to contain the individual's social insurance number.

The photograph of the bearer should provide a 3/4 frontal view of the head and upper shoulders (refer to Appendix A - Best Practices). The bearer must be re-photographed at least every five years. The card's photograph and/or information fields should be updated immediately or at the discretion of the departmental/organizational authority whenever major identification features have changed, e.g. beard, moustache, hair colour or weight gain/loss.

All information on the inserts/cards must be machine-written without erasures or alterations. Refer to Appendix B - Card Requirements Table for a summary of card requirements.

5.2  Access Badges (Electronic and Non-Mechanical)

5.2.1  General

Access badges must be worn at all times while in the facility/complex. It may be necessary to quickly and effectively determine whether affiliates, employees, individuals under contract or visitors have authorized access to a facility/complex or zone. This is usually accomplished through the use of an access badge. An access badge also indicates that affiliates, employees, individuals under contract or visitors have been properly processed through the control of access procedures.

An employee’s access badge should provide a photo of the bearer. Access badges indicate authorization only. Additional steps intended to verify identity, such as showing an identification card or other positive identifying documentation, should be taken where warranted (refer to Appendix C - Recommended Verification Procedures).

Control staff may be used at an entry point to verify that persons entering the restricted-access areas are wearing appropriate badges. Alternatively, the card may be combined with an electronic access control system to permit access. Refer to the RCMP’s Physical Security Guide G1-024 “Control of Access” for further information.

In the case of electronic access badges, the access control system takes on some or all of the responsibility of determining access rights.

5.2.2  Physical Characteristics

Access badges should be at least industry standard size, allowing for an appreciably larger photograph or digitized image of the bearer than identification cards. A large and clear photograph or digitized image combined with coding is essential for the control staff to quickly establish the access status of the bearer. Access badge sizes should be greater if it is necessary to be able to visually check the badge from a distance. Electronic access badges are available in industry standard size, and this should be taken into account when designing the layout of the information fields. Non-mechanical access badges do not contain any of the technology found in electronic access control cards and may be oversized to facilitate visibility from a distance.

Access badges should visibly identify the issuing department/organization by the use of items such as crests, emblems and acronyms. When the TRA identifies exploitable vulnerabilities, indirect codes, e.g. letters and designs easily recognized by authorized personnel, should be used to distinguish badges from those of other departments/organizations, and data on the access badge should not identify it with a particular facility/complex.

Visible features can indicate the zones to which employees, tradespersons and visitors have authorized access. These features can be colours, badge shape, codes (e.g. numbers, letters and bars) or any combination thereof which readily establish to authorized personnel that the bearer has been properly processed through the access control system for the facility/complex or zone. Caution should be exercised when applying this option as visible identification of the special access authorization could pose an increased threat to the information and assets within that zone. For further information on zones please refer to the RCMP’s Physical Security Guide G1-026 “Application of Physical Security Zones”.

Any information on the badge/inserts must be machine-written without erasures or alterations.

5.2.3  Employee Access Badges

The primary purpose of this badge is to visibly establish the bearer as an employee with authorized access to the facility/complex or zone by providing a 3/4 frontal photograph or digitized image of head and upper shoulders which should cover at least 50% of the badge face.

The employee access badge should bear the employee's name and an expiry date, and indicate that authority has been granted to enter a facility/complex or zone. Through the use of features such as colour combinations, the employee access badge may also indicate authorization for temporary employees or contract personnel. A combination of any of the features identified in the section above can be used to further confirm authorization and recognition of the bearer. Employee access badges must contain numbers that are unique to the badge and should be renewed at least every five years. Only one access badge at any one time must be issued to any person. If a new access badge needs to be issued, procedures should be in place to determine the steps to be followed, including the issuance of a new unique number.

Employee access badges for Operations Zones can be removed from the zone or facility/complex for which they have been issued if an operational reason exists. Exceptions to this policy are required if a TRA indicates that the threat posed by a person who has possession of a lost or stolen badge will compromise existing security safeguards. When employees are allowed to remove these badges from the facility/complex or zone they should be notified of their responsibility and be provided with recommended safekeeping procedures, i.e. out of sight or secured in a container at their residence.

5.2.4  Individual Under Contract Access Badges

These access badges generally contain no photograph or name but clearly indicate the bearer as being an authorized individual. This is usually indicated through the use of such features as colour, letters and numbers. Where the individual has passed a security screening procedure but is not directly under the control of the department/organization, a photo access badge with appropriate background colours and bar codes may be issued. Each individual access badge should contain a number unique to the badge.

Access authorization is indicated by use of the methods identified in Appendix B - Recommended Verification Procedures. Departmental/organizational policy should stipulate whether tradespersons require escorts and under what conditions access will be permitted.

Individual under contract access badges must not leave the facility/complex for which they were issued and must be returned to the issuing office at the end of each visit. A record of issue should be established to identify the cardholder, the company represented and the purpose of the visit.

5.2.5  Visitor Access Badges

Visitor access badges usually contain no photograph or name but clearly establish the bearer as an authorized visitor to the department/organization. Badges may also be issued to visitors indicating that the person has been granted a temporary authorization to access a specific area. This is usually indicated through the use of such features as colour, letters and numbers on the inserts/badge.

Visitor access badges should contain a number unique to the badge to help facilitate tracking and inventory verification. When the TRA identifies exploitable vulnerabilities, visitors should be escorted to and within a facility's/complex’s restricted areas (Operations, Security and High Security Zones).

Visitor/daily access badges must not leave the facility/complex for which they were issued and must be returned to the issuing office at the end of each visit. A record of issue should be established to identify the cardholder, the organization represented, the purpose of the visit and the person being visited.

5.3  Combination Cards

Some departments/organizations may wish to incorporate the identification card/access badge requirements on one credential. The combination of these requirements is possible when supported by the departmental/organizational TRA and operational requirements, e.g., if the TRA indicates the threat posed by a person having possession of a lost or stolen access badge and identification card is manageable. When used, the combined card/badge should:

  • satisfy the requirements of both identification cards and access badges, with the more stringent of the requirements taking precedence between the two; and
  • be renewed every five years or when major identification features have changed (five years being the more stringent of the requirements between the two).

Refer to Appendix B - Card Requirements Table for a summary of card requirements.

6.  Security Features

The earlier sections of this security guide establish minimum guidelines to be used for identification card and access badge systems. However, a TRA may indicate that additional security features are required, such as:

  • ratio of plastic and resin used in the laminate material, where applicable;
  • watermarks;
  • laser etchings and engraving;
  • optical designs which are difficult to alter or manipulate;
  • holograms; and
  • codes that are visible only under special lighting.

The security features incorporated shall not:

  • result in any defects;
  • obscure printed information; or
  • impede access to machine-readable information.

7.  System Administration

7.1  Handling Procedures

Each department/organization must establish procedures for the proper handling of identification cards and access badges. These procedures should:

  1. Verify at the time of issuance that the individual to whom the credential is to be issued and on whom the background investigation was completed is the same as the intended applicant/ recipient as approved by the appropriate authority.
  2. Establish a process for issuing and recovering both identification cards and access badges whereas a record is kept of the date of issue, the identity of the bearer, the number of the card or badge, and if necessary, the security screening or reliability status of the bearer, when an update is required and the recovery date of the card or badge.
  3. Establish the process to follow when verifying the authenticity of cards or badges held by personnel, such as keeping a record of signatures in a log book.
  4. Provide guidelines for withdrawal of either cards or badges for cause.
  5. Indicate how to report improper use, damage and loss or theft of cards or badges.
  6. Upon issuing replacement cards and badges when lost or suspected stolen, ensure a new unique number is issued.
  7. Perform an audit on lost or stolen access cards to determine the usage history of the card since it was first noticed missing.
  8. Upon notification of a lost or stolen card, the department/organization must take immediate steps to deactivate the card.
  9. Ensure retrieval of cards or badges upon termination of employment, contract or when no longer required, and ensure that credentials are only serviceable up to the expiration date or termination.
  10. Ensure all equipment necessary for the issue of cards or badges are physically protected to a level equal to that of the classified or protected information and assets to which they will indicate authorized access. Also, additional measures may be required based on a TRA.
  11. Ensure that a process is established which will prohibit the removal of access badges from the facility/complex or Security or High Security Zone when a TRA indicates the requirement.
  12. Establish a process to destroy all expired and/or damaged cards and badges.
  13. Ensure no single official in the process may issue a credential to a person.
  14. Ensure no credential is re-issued to an individual for whatever reason until positive identification is verified and the individual is still entitled to the credential.

7.2  Return of Lost Cards

Canada Post’s current policy does not provide for delivery of departmental/organizational ID cards deposited in mailboxes, even if an address is included on the card. Departments/Organizations may, however, enter into some form of MOU with Canada Post to ensure the return of their ID cards.

7.3  Employee Awareness

The department/organization should have a security awareness program which ensures that all employees are aware of the facility/complex identification card and/or access badge system and their responsibilities in the successful operation of such a system. This program should include administration of the system, familiarization with each type of card and badge (i.e. affiliation, individual under contract, employee, visitor) access afforded by each type of badge, proper use of the card/badge, responsibilities of the card/badge bearer, display requirements and procedures to follow when a violation, loss or theft occurs.

The program should also remind employees that they are a part of the security program as well as the steps they should take when they become aware of persons without access badges in restricted-access areas.

Appendix A - Best Practices

1.  Badge Orientation

All personnel must visibly display their badges at all times while in a restricted-access area.

Access badges should be worn at chest height, allowing the bearer’s photograph and face to be readily compared. Access badges that are worn upside down or on the hip make it difficult to quickly and effectively determine if the photo on the card matches the person wearing the badge.

Employees may be reluctant to challenge individuals if they appear to be wearing access cards even though the card may not be readily visible. A policy that requires the badges to be worn around the neck will encourage employees to participate in the control of access procedures. If health and safety concerns are associated with wearing badges around the neck (i.e. working around heavy equipment) alternative measures will be required.

Lanyards, retractable badge reels, snap hooks, clips, etc. used to hold badges should not include pre-printed identifiable departmental/organizational markings.

Employee access badges for Security or High Security Zones should not be removed from the facility/complex for which they have been issued and could even be restricted to the zone for which they are issued, if warranted by the TRA.

2.  Photographic Requirements

The photograph appearing on the badge should be as large as possible to help facilitate quick visual checks. The photograph of the individual should be full colour showing the full face, head and upper shoulders, and should be sized to occupy as much of the frame as possible. On an industry standard size insert/card, the photograph commonly covers 40% of the badge and the information 60%. However, photographs of this size are not large enough to give personnel time to compare the photograph with the bearer prior to passing or contacting the individual. Therefore, consideration should be given to increasing the size of the photograph.

Photographs should be re-taken every five (5) years for ID cards, access badges and combination cards. Minimum print resolution is 300 dpi (dots per inch), although higher resolutions are recommended.

Head coverings that conceal any visible portion of the head (i.e., ball caps, bandanas or headscarves) should not be worn, unless they constitute a religious obligation.

Eyewear, if such is normally worn, are to be maintained for the photograph, but not sunglasses, unless the individual has a certifiable requirement to wear them.

Background colours should be neutral in nature and provide for contrast from the individual’s complexion to ensure high visibility.

3.  Visitor and Individual Under Contract Access Badges

Persons requiring access to the facility/complex should have their identity verified by security staff before being issued access badges. Staff members should be required to sign in visitors and individuals under contract, and be responsible for the access badge.

Unlike an access badge with a photo, visitor and individual under contract access badges can be used by a number of individuals. In order to ensure that the cards represent a properly cleared person, effective control over the number and whereabouts of access badges must be maintained.

4.  Alterations to Cards

Departments/Organizations may choose to punch an opening in the card body to enable the card to be worn on a lanyard. Departments/Organizations should ensure such alterations are closely coordinated with the card vendor and/or manufacturer to ensure that card material integrity is not adversely impacted.

It is recommended departments/organizations ensure such alterations do not:

  • compromise card body durability requirements and characteristics;
  • invalidate card manufacturer warranties or other product claims;
  • alter or interfere with printed information, including the photo; and
  • damage or interfere with machine-readable technology, such as the embedded antenna.

Appendix B - Card Requirements Table

Information fields Employee ID card Employee access badge
(non-mechanical or electronic)		 Combo Card 1
(ID & non-mechanical access badge)

Combo Card 2
(ID and electronic access badge)		 Visitor card/badge

Individual under contract card/badge		 Affiliation card / badge
Individual’s name Must Should Must Can4 Must
Individual’s signature Should1 Can Should1 Can4 Should1
Colour photograph/ Digitized image Must Should Must Can4 Must
Name of issuing department/ organization Must Should Must Must Must
Location privilege - colours, badge shape, codes Never Can5 Can5 Can5 Can5
Date of expiry Must2 Should2 Must2 Must2 Must2
Unique card number Must Must Must Must Must2
Date of birth Can3 Can (month & year only)3 Can3 Never Never
Lost/ Stolen ID cards/ badges Refer to Section 7

NOTE: All information must be machine-written without erasures or alterations.

1  Although recommended, some departments/organizations may choose not to put a signature on an ID, combination or affiliation card / badge (if deemed operationally necessary)

2  Five (5) years from date of issue

3  Ensure each item is justifiable under existing Human Rights and Privacy Act legislation

4  Departments should tailor this requirement to the frequency of visits and length of contract

5  It is recommended that facility location not be identified on access badges

Appendix C - Recommended Verification Procedures

The need for ID cards and access badges can be found in TBS’s Operational Security Standard – Readiness Levels for Federal Government Facilities. In the standard, Readiness Level One requires “the mandatory control of all access points within all federal facilities, including visitor control”. ID cards and access badges have a significant impact on the implementation of the readiness standard; therefore, the full version of the standard should be reviewed through the Departmental Security Officer.

An example of how the use of ID cards and badges can support the standard is provided below:

Visual identity verification

A person (typically security personnel, as used hereafter) shall perform visual identity verification of the cardholder and determine whether the identified individual should be allowed through the control point. The series of steps that shall be applied in the visual authentication process are as follows:

  1. Security personnel at the access control entry point determine whether the card appears to be genuine and has not been altered in any way.
  2. Security personnel compare the cardholder’s facial features with the photograph on the card to ensure that they match.
  3. Security personnel check the expiration date on the card to ensure that the card has not expired.
  4. Security personnel compare the cardholder’s physical characteristic descriptions to those of the cardholder (optional).
  5. Security personnel collect the cardholder’s signature and compare it with the signature on the card (optional).
  6. Security personnel determine whether the cardholder should be granted access by analyzing one or more data elements on the card (e.g., name, employee affiliation, employment identifier, agency card serial number, issuer identification, agency name).

Appendix D - Lamination Technical Specifications

Identification cards should be at least credit card size 2.125 in. x 3.375 in. (54 mm x 86 mm) with a protective, sturdy, transparent, tamper-resistant, thermally-laminated cover (usually plastic) designed to make unauthorized alterations to the insert difficult. The cards are usually white, No. 4 bond, 90 g/m2 as specified in CGSB Standard 9-GP-1M, with scattered coloured planchettes.

Access badges should consist of a protective, sturdy, transparent, tamper-resistant, thermally-laminated cover (usually plastic) designed to make unauthorized alterations to the insert (usually photographic paper) difficult.

Laminate materials can be obtained in various qualities. However, as a minimum, the polyester should be .007 in. (.178 mm) and the resin .003 in. (.076 mm) for a combined thickness of .02 in. (.51 mm) plus the insert. Materials which merely enclose and protect the insert should not be used for identification cards and access badges. Laminate materials to be used should deface the front and back of the insert if removal or alteration is attempted.

NOTE: The use of laminating technology for identification cards or access badges carries certain inherent risks and vulnerabilities. If you are using or planning to use laminating technology, the completion of a TRA is highly recommended.

 

Endnotes

1 Departmental/organizational threat and risk assessments (TRAs) may require more stringent procedures.

2 Access to classified or protected assets is based on a "need-to-know" requirement, in addition to having the appropriate security clearance level.


To read Adobe Acrobat (PDF) files, you may need to download and install the free Adobe Reader available from Adobe Systems Incorporated.

Date Modified: 2009-10-23

Top of Page
Important Notices