It is 8.10 am on a Monday morning in November. You are the operations manager of a private security firm in the province of Modena; you have sixty-two security guards on duty, around a hundred sites – including fixed posts and night patrols – and you’re looking at last week’s Excel spreadsheet. As you drink your second coffee, you scroll through the patrols in the industrial area east of the ring road – the one with the three logistics warehouses and the fuel depot – and your eye is caught by a row that doesn’t add up. Guard Rossi clocked in at 23:47 on Thursday at Point 4 – the forecourt behind the depot – with a WhatsApp message sent to his colleague in the operations room: ‘Point 4 OK, everything normal’. The problem is that last night, Saturday, you drove past there at 23:50 and that checkpoint was dark, with no patrol car, and the barrier at the entrance was in exactly the same position as you’d seen it two hours earlier. Perhaps Rossi really did pass through and you didn’t notice. Perhaps he never went there at all and sent the WhatsApp message from his sofa at home, twenty kilometres away.
On Wednesday, the client from the fuel depot calls. An attempted break-in on Thursday night; a CCTV camera captured a shadow at 11.52 pm on the south side of the forecourt, exactly five minutes after Rossi’s supposed visit. He wants to know where the guard was. He wants the access log. He wants proof. And all you have is a WhatsApp message saying ‘Point 4 ok, everything’s fine’. No coordinates, no photos, no motion sensor at the driveway triggered. Just Rossi’s word against the doubts of a client who pays €4,200 a month in security fees and is now threatening not to renew the contract. You already know how it will end: either you give in and offer a discount on this month’s fee, or the contract goes to a competitor who has a certified tracking system. Either way, you lose out.
This is a scenario that every owner or operations manager of a security firm has experienced at least once. It’s almost never down to bad faith on the part of the guard – though sometimes it is – but more often it’s the seasoned guard who, after three hundred rounds a month, skips a check because they know that “nothing ever happens in that car park anyway”; it’s the young new recruit who forgets a check and covers it up with a quick message; it’s the patrol officer who parks outside so as not to waste time with the automatic gate. The problem isn’t the individual incident. It’s that without a chain of objective evidence, every client – whether in the public sector, healthcare, banking or industry – knows that your defence amounts to nothing more than a word and a signature on a paper log. And in a world that demands digital logs for everything, that’s worth less and less.
If a security guard who skips a patrol is left with no defence when confronted by a bank customer, two weeks’ worth of digital logs plug the gap.
No credit card required; up and running in 2 minutes.
Look at the sectorWhy self-declared presence no longer holds water in security
In the security sector, proof of presence is the very product you’re selling. When a pharmaceutical company signs a contract for night-time patrols comprising 11 rounds per night, it isn’t buying ‘a person in uniform who goes round’: it is buying eleven chronological and geographical assurances per night, every night, seven days a week. If you cannot objectively demonstrate those eleven certainties, you are selling a service that is structurally identical to that of your competitor, and at that point the client’s decision comes down solely to price. Worse still: the moment something goes wrong – and sooner or later something always does – it is up to you to prove that you have done your job. It is not up to the client to prove that you haven’t.
The paper log of patrols, the ‘daily report’ filled in at the end of a shift at the operations room desk, the radio call with the tired voice of the dispatcher saying ‘patrol complete’, the magnetic key swiped across a wall-mounted reader: these are all systems that have worked for thirty years because nobody had any alternatives. Today, alternatives do exist; your competitors are using them, and your clients – especially institutional ones – are specifying them in their tender documents. Public hospitals, banks, local authorities, energy network operators: recent tenders increasingly include the clause “digital system for tracking access with timestamps and geolocation, data exportable at the client’s request”. If your organisation doesn’t have this, you won’t even be considered for the contract.
On the internal front, the vulnerability is even more serious. A security guard who skips a patrol and covers it up via WhatsApp is not just a service issue: it is a criminal risk for you. If something happens at the site that night – a theft, a fire, or an intrusion with serious consequences – and the investigation reveals that the declared patrol never took place, the security firm will be held liable for breach of contract, possible contributory negligence, and in the most serious cases, the Prefecture may suspend or revoke the licence pursuant to Article 134 of the TULPS. You are building your defence – both with the client and with the authorities – on a WhatsApp message and on human memory. That is not a defence.
What a GPS security attendance app really needs to do
An attendance app designed for security work is not a generic time-recording system that has simply been adapted. It must recognise that the work of a security guard has specific characteristics that software designed for offices or cleaning services cannot handle. The first is the dual nature of fixed posts and mobile patrols: a guard at a hospital entrance needs a single geofenced clock-in at their post, with a minimal margin of tolerance, whilst a patrol officer covering eleven checkpoints across six different sites requires a sequence of timed check-ins, each linked to a narrow geographical perimeter and an expected time of passage. The same app must handle both scenarios without forcing the operations manager to configure two separate systems.
The second is tamper resistance. A GPS surveillance system that merely reads the phone’s location can be bypassed in five minutes using a mock location app, and that is precisely what every ‘experienced’ security guard knows how to do. Three levels of protection are required: detection of fictitious locations at operating system level, a server-signed timestamp at the moment of the tap (not at the moment of synchronisation, which the guard can deliberately delay), and correlation between the check-in coordinates and a consistent sequence of previous check-ins; if Mr Rossi clocks in at 23:47 in Modena and at 23:52 forty kilometres away, the system must automatically flag the anomaly to the operations centre, not at the end of the month in the report.
The third requirement is integration with rest periods. Italian legislation on night work, as applied to the National Collective Labour Agreement for Private Security and Trust Services, imposes precise limits on consecutive hours of service and on rest periods between shifts. An app that merely records clock-in times is not enough: it must show the scheduler, whilst drawing up the weekly rota, whether security guard Rossi – whom you have assigned to the 22:00–06:00 shift on Monday – can legally also be assigned to the 14:00–22:00 shift on Tuesday, or whether they are accumulating hours that will lead to a trade union complaint or an INL inspection. Finally, the fourth feature is the exportable evidence package: every night, it must be able to automatically generate, at the client’s request, a PDF containing the timings of all patrols, coordinates, any photos taken by the guard, reported anomalies, and a cryptographic verification reference. The fuel depot client who calls you on Wednesday doesn’t want an explanation: they want the document. You send it to them by email in three minutes and the conversation is over.
GDPR and the regulatory framework: tracking is lawful, but it must be done properly
The security sector is one of the contexts in which the Data Protection Authority has repeatedly reaffirmed the legitimacy of GPS tracking of workers, recognising the specific purpose of protecting the client’s assets and ensuring the safety of the security guard themselves, who works alone at potentially exposed sites. Article 4 of the Workers’ Statute, in its post-Jobs Act version, explicitly authorises these systems when they are functional to the organisation of the service. The National Collective Labour Agreement for Private Security, supplemented by the ASSIV (Italian Association of Security and Trust Services) protocols, sets out the framework for informing employees. Article 134 of the TULPS and the implementing regulations assign to the Prefecture the responsibility for verifying the lawfulness of the organisation’s operating procedures, and the use of digital tracking systems is now viewed as a positive factor in periodic inspections.







