How to Stop Buddy Punching on UK Construction Sites
Buddy punching — one worker clocking in for another — is a problem every site manager has seen and almost nobody measures. Here's why construction sites are so exposed, what it genuinely costs, and the ladder of fixes — from a signature on a damp sheet of paper to facial-recognition clock-in that stops it outright.
What buddy punching is — and why construction sites are exposed
Buddy punching is simple: a worker who isn't on site gets clocked in by a colleague who is. Sometimes it's deliberate and organised. Far more often it starts innocently — "sign me in, I'm ten minutes out" — and quietly hardens into a habit. Either way, you pay for hours nobody worked, and your site records stop telling the truth.
Construction is more exposed than almost any other industry, for structural reasons:
- Paper sign-in sheets. A clipboard at the gate records whatever gets written on it — nothing proves who held the pen, or when.
- Shared logins and shared devices. One tablet, one password, whole crew. If everyone uses the same credentials, the system literally cannot tell workers apart.
- Big crews. On a busy site, no supervisor can honestly say they clocked every face through the gate between 7.00 and 7.30 on a wet Monday.
- Subcontractor churn. New faces arrive weekly. A supervisor who doesn't yet know a bricklayer's name won't notice someone signing in on his behalf.
- Remote and multiple sites. When the office is thirty miles from the job, attendance is whatever the paperwork says it was.
What it actually costs
We're not going to quote you a scary percentage. Plenty of articles do, and very few of those figures can be traced back to a real study. The honest answer is that the cost has three parts, and you can estimate each for your own firm better than any statistic can:
- Paid, unworked hours. The direct one. Every fifteen minutes clocked before a worker actually arrives — or after they've left — goes out in wages at the full loaded rate. Where those minutes tip someone into overtime, they go at a premium.
- Distorted job costing. Labour hours are how construction firms price work. If the recorded hours on a job include time that was never worked, the job looks less profitable than it was — and the next tender you price from that data inherits the error.
- Health & safety and roll-call risk. Your attendance record doubles as your emergency roll-call. If it says someone is on site who isn't, a fire marshal may hold an evacuation looking for a worker who's at home. The reverse is as bad: someone genuinely on site but not on the register is invisible in an emergency. Inaccurate records also undermine induction and competence trails after an incident.
A timesheet isn't just a payroll input. On a construction site it's also your emergency roll-call, your job-costing record and part of your compliance trail. If it's wrong, all three are wrong.
The ladder of fixes, weakest to strongest
The ladder below runs from methods that prove almost nothing to the one that proves identity itself.
1. Supervisor sign-in sheets
The baseline, and the weakest rung. Signatures are trivially forged; sheets get batch-signed at day's end from memory; the supervisor on a multi-subcontractor site can't vouch for faces they've never met; and the sheet itself gets lost, soaked or quietly rewritten before it reaches the office. Even when everyone is honest, someone still has to type it all into payroll — a second chance for errors to creep in.
2. PIN kiosks
A shared tablet at the gate with a personal PIN per worker is a genuine step up: entries are timestamped, legible and digital, with no re-keying. But a PIN only proves that someone knew a number. Buddy punching is co-operative by nature — the absent worker hands their PIN over willingly, which is precisely the scenario a PIN cannot defend against.
3. GPS and geofenced clock-in
Workers clock in on their own phones, and the app only accepts the punch if the phone is inside a geofence drawn around the site. This kills the laziest abuse outright — clocking in from bed, the café or the van on the motorway. What it can't do is prove who is holding the phone. A worker already on site can carry a mate's handset through the gate and clock in for both. GPS proves where; it doesn't prove who.
4. Facial-recognition clock-in
The top rung. At the moment of clock-in, the camera checks the worker's face against the template they enrolled with. This is the only method on the ladder that verifies identity itself, and it ends buddy punching for a blunt reason: a colleague can borrow your PIN and your phone, but not your face.
| Method | What it proves | How it gets beaten |
|---|---|---|
| Sign-in sheet | A name was written down | Forged or batch-signed; sheets lost or rewritten |
| PIN kiosk | Someone knew the PIN | PINs are shared willingly — that's the whole scheme |
| GPS + geofence | The phone was on site | Phone handed to a mate who is on site |
| Facial recognition | The worker was there | It isn't — a face can't be lent |
UK GDPR and biometrics: doing it properly
Facial-recognition data used to identify a person is special-category biometric data under UK GDPR, which means the bar is higher than for ordinary employee data. That is not a reason to avoid it — it's a reason to do it correctly:
- Explicit consent, freely given. In an employment relationship, consent is only real if saying no carries no penalty — which means a genuine alternative clock-in method must exist alongside the biometric one.
- Store a numeric template, not photographs. A properly built system converts the face into a mathematical template used only for matching. No gallery of worker photos should ever accumulate.
- Delete on withdrawal. If a worker withdraws consent, or leaves the firm, the template goes. Retention "just in case" is exactly what the rules exist to prevent.
- Be transparent before day one. Run a data protection impact assessment, write a plain-English privacy notice, and explain to the workforce what is stored, where, and for how long — before the first enrolment, not after the first complaint.
These are the same principles Temporra follows in its own handling of biometric data — the specifics are on our security page.
A practical rollout checklist
- Pick a pilot site and draw its geofence — generous enough to cover the whole compound, tight enough to exclude the car park across the road.
- Complete a DPIA and a short privacy notice before anything is switched on.
- Brief the workforce in a toolbox talk: what's changing, what's stored, and what their choices are.
- Offer the choice plainly: facial-recognition clock-in, or PIN at the kiosk. No pressure either way.
- Enrol workers — moments per person; subcontractors can be enrolled on arrival.
- Run the new system alongside the old sheets for one pay period and compare.
- Review exceptions weekly — missed punches, geofence edge cases, workers who switched methods.
- After a month, retire the paper and let the digital record be the record.
How Temporra approaches it
Temporra was built for exactly this problem. Clock-ins are checked against a GPS geofence around each site, and firms that want identity verification can enable facial-recognition clock-in, with the face check verified server-side rather than trusted to the handset — so it can't be sidestepped by a tampered device. For workers who prefer not to use biometrics, kiosk mode with per-worker PINs is the built-in alternative, so consent stays genuinely optional. Verified hours then flow straight into payroll-ready exports and CIS statements. Plans and prices are on the pricing page, and if you're weighing up tools, our comparison with ClockShark covers where the two differ for UK construction firms.
Frequently asked questions
Is facial recognition legal on UK construction sites?
Yes, provided UK GDPR conditions are met: a lawful basis such as explicit consent, a completed DPIA, clear worker information, secure storage of templates rather than photos, and deletion when consent is withdrawn. The technology is lawful; careless deployment of it is not.
What if workers refuse biometrics?
They must be able to, without consequence — otherwise the consent underpinning the whole system fails. The answer is a genuine alternative, such as a PIN at a kiosk, offered with no fuss and no stigma.
Does GPS alone stop buddy punching?
No. Geofencing proves the clock-in happened at the site, which stops remote punching — but it proves location, not identity. A phone can be carried through the gate by someone else. Only identity verification closes that gap.
How fast can a small firm roll this out?
Faster than most expect. There's no hardware beyond phones and a spare tablet for the kiosk: draw the geofence, brief the crew, enrol workers as they arrive, and run one pay period alongside the old sheets. For a small firm, that's days of admin spread over a few weeks — not a project.
Prefer to see it first? Book a demo and we'll walk you through geofencing, facial recognition and kiosk mode. More guides are in our resources library.