Skip to content
EmployeeSight

Hybrid work

Is Employee Monitoring Legal in India? The DPDP-Era Answer

EmployeeSight TeamProduct10 June 2026 · 7 min read

The short answer is yes — employee monitoring is legal in India. The longer answer is that “legal” is doing a lot of work in that sentence, and the DPDP Act 2023 has rewritten what it carries. Monitoring an employer-owned laptop for a stated business purpose with informed employees: legal. Silently logging keystrokes on a personal phone: a liability event waiting for a complainant. The line between the two is not technical sophistication. It is notice, purpose, and proportion.

This post is the legal half of the question. The buyer’s half — what monitoring software should and shouldn’t do, the privacy-first checklist, the rollout playbook — lives in our full guide to employee monitoring in India.

The three legal layers

No single Indian statute says “workplace monitoring.” Three regimes combine to govern it:

  • IT Act 2000 + the SPDI Rules 2011: require “reasonable security practices” for sensitive personal data, and notice plus consent for collecting sensitive categories — which include biometric records and password-like credentials. Biometric attendance systems sit squarely inside this regime.
  • The DPDP Act 2023: the general data-protection law. Processing personal data requires a lawful basis — consent, or “legitimate use” — plus purpose limitation, data minimisation, and Data Principal rights: access, correction, erasure. Employment is one of the recognised legitimate-use contexts, which is why workplace monitoring can proceed without per-datum consent — if it is proportionate and notified.
  • State Shops & Establishments Acts: mostly silent on monitoring as such, but they anchor the employer’s recordkeeping obligations — attendance and wage registers that monitoring data often feeds.

The five-condition test

Distilled across the three regimes, monitoring stands on defensible ground when all five conditions hold:

  1. Employees are informed — a written policy naming what is tracked, before tracking begins.
  2. The purpose is legitimate — client billing, security, project costing; something specific you could state to a regulator without wincing.
  3. The measures are proportionate — the least intrusive collection that serves the purpose.
  4. Retention is bounded — data kept only as long as the purpose requires.
  5. Employees can access their own records — the DPDP access right, made real in the product.

Notice the structural implication: covert monitoring fails condition one by definition. There is no compliant version of secretly monitoring employees in the DPDP era. Whatever a vendor’s “stealth mode” toggle suggests, switching it on converts a compliance instrument into evidence.

What proportionality means in practice

Proportionality is the test most buyers under-weight, because it constrains not whether you monitor but how much. Working translations:

  • Activity signals over content. Active-versus-idle and app-category data usually serve a productivity purpose; keystroke contents never do. Keystroke logging captures passwords, medical queries, personal messages — collection wildly in excess of any stated purpose, and the clearest proportionality failure in the category.
  • Periodic over continuous. If screenshots serve the purpose at all, periodic capture with a disclosed frequency is defensible where continuous recording is not. Off-by-default is the safer posture still.
  • Work context only. Employer-owned devices during work hours. Personal devices without an explicitly installed, consented agent are effectively off-limits — monitoring hardware the company doesn’t own and the employee didn’t opt into is generally indefensible.
  • Private hours that produce nothing. Proportionality implies employees can mark personal time — a medical call, a bank visit — and have it generate zero records server-side, not hidden ones.

Retention: the quiet obligation

Purpose limitation has a time dimension. Monitoring data kept indefinitely is data kept beyond its purpose, and that is a DPDP problem regardless of how lawfully it was collected. Defensible defaults: project-time data for the client-billing dispute window (12–24 months), productivity scores for the current review cycle (3–12 months), screenshots 30–90 days, idle/active signals around 90 days. De-identified team aggregates can persist; identifiable raw signals should not.

What non-compliance actually costs

The DPDP Act carries financial penalties for data fiduciaries that scale to ₹250 crore for serious breaches — a ceiling set for large-scale failures, but a signal of how the regime prices data misuse. For most employers the nearer-term costs are smaller and likelier: employee grievances, evidence thrown out of disciplinary proceedings because it was covertly gathered, attrition among exactly the senior engineers who read installation manifests, and the reputational tax of a Glassdoor review that says “they log keystrokes.” The compliant path is also, conveniently, the path teams tolerate.

Choosing software that makes compliance the default

Most monitoring-law exposure is created by tool configuration, not tool category — which means the defaults you buy matter more than the policy you write. EmployeeSight Work was built so the compliant configuration is the shipped configuration: screenshots off by default, keystrokes never captured at the architectural level, per-employee private hours that produce zero records, employees able to view their own data, and an audit log on every admin action. The five-condition test above isn’t a deployment project. It’s the factory setting.

FAQ

Is employee monitoring legal in India in 2026?

Yes, on employer-owned devices and systems, for legitimate business purposes, with informed employees, proportionate measures, bounded retention, and employee access to their own records. Covert monitoring and personal-device tracking fall outside this safe ground.

Does the DPDP Act 2023 require consent for workplace monitoring?

Not necessarily per-datum consent — employment-context processing can proceed on the legitimate-use ground if it is proportionate and notified. Written informed consent remains the safest posture, and sensitive categories such as biometrics still require it under the SPDI Rules.

Can monitoring data be used in disciplinary proceedings?

Data gathered under a disclosed policy for a stated purpose generally can. Data gathered covertly, or far outside the stated purpose, is vulnerable to challenge and undermines the employer’s position rather than supporting it.

Is keystroke logging legal in India?

It occupies the worst legal ground in the category: it inevitably captures passwords and personal communications, failing proportionality and data minimisation under the DPDP Act regardless of notice. No mainstream legitimate purpose requires keystroke contents; activity-level signals serve every defensible use case.

← Back to notesStart free trial

Stop juggling tools. Start seeing your team.

Start freeBook a 20-min demo

14-day free trial · No card required · Workspace ready in 1 business day