Data Protection Impact Assessment (DPIA) –
Guard-e-Loo
Project name: Guard-e-Loo vandalism prevention system
Date: 16/09/2025
Prepared by: Dominic Pain / Guard-e-loo Ltd.

1. Purpose of the processing
   Guard-e-Loo is designed to reduce vandalism in public toilet facilities.
   Capture an image of a user as they enter the doorway of the facility.
   Capture an image of the toilet when they leave.
   Compare before/after images for new damage.
   If vandalism is detected: alert monitoring team, send relevant image to Police Scotland, delete
   local copy once sent.
   If no damage: all images are deleted immediately.
2. Lawful basis
   Legitimate interests: prevention and detection of crime (vandalism), and protection of public
   assets.
   Balancing test: minimal data captured; no profiling; immediate deletion unless crime suspected.
   No other system has yet prevented repeated vandalism of facilities.
3. Types of data collected
   Entry image (service user).
   Exit image (toilet condition).
   Metadata (time/date).
   No biometric processing, no audio, no video, no behavioural analysis.
4. Data storage and retention
   Images stored briefly on device RAM/local cache.
   If no vandalism → deleted immediately.
   If vandalism suspected → before/after images transmitted to monitoring team; if suspected
   vandalism, forwarded to police.
   Image deleted from device after transmission; deleted from Guard-e-Loo once receipt by police
   is confirmed.
5. Data sharing
   Monitoring team (authorised staff only).
   Police Scotland (in event of confirmed vandalism).
   No third parties, no international transfer.
6. Risks identified
   Risk of accidental retention of images.
   Risk of unauthorised access to transmitted images.
   Risk of user misunderstanding (thinking images are stored long-term).
7. Mitigations
   Automated deletion protocols built into system.
   End-to-end encryption for all transmissions.
   Access restricted to authorised monitoring staff.
   Camera is physically shuttered, automatically, when it detects motion – no person ever recorded
   inside the facility.
   No filming of activity other than the doorframe of the facilities.
   Clear signage in facilities: “Guard-e-Loo in use – images deleted immediately unless vandalism
   detected.”, or similar.
   Annual system audit.
8. Residual risks
   Very low risk of temporary storage while waiting for transmission.
   Considered proportionate given significant vandalism prevention benefits.
9. Consultation
   Users informed via clear signage, to include QR code linking to website with detailed
   multilingual and accessible explanation of process.
   Police Scotland and ICO may be consulted during pilot phase.
   Highland Council as data controller if deployed.
10. Conclusion

Processing is proportionate, necessary, and designed with privacy by design and by default. Guard-e-
Loo minimises GDPR exposure through immediate deletion, no profiling, and no long-term storage.