ScreenJournal

Is employee monitoring legal in India?

Yes, employee monitoring is legal in India. No statute prohibits monitoring work on company devices, and the Digital Personal Data Protection Act 2023 expressly permits processing employee data for employment purposes without consent. But the DPDP Act is being phased in through 2027, and employers who monitor should prepare for its notice, security and breach duties now.

Updated on 6 July 2026. This page is general information, not legal advice.

What law governs employee monitoring in India right now?

India has no single workplace monitoring statute. Today the legality of monitoring rests on a combination of sources: the employment contract and workplace policies under the Indian Contract Act 1872, the employer's information security obligations under the Information Technology Act 2000, and, for data protection specifically, Section 43A of the IT Act together with the SPDI Rules 2011. Those rules require body corporates to apply reasonable security practices when handling sensitive personal data, and they remain the operative data protection regime until the DPDP Act's substantive provisions take effect.

In practice, monitoring employees on company-owned devices during work hours is lawful in India, and it is common. The safest position has always been to disclose it clearly in a policy the employee acknowledges, and the incoming DPDP regime rewards employers who already work that way.

What is the status of the DPDP Act?

The Digital Personal Data Protection Act 2023 is enacted but not yet fully enforceable, and its obligations arrive in phases. The table below summarises the timeline as it stands.

MilestoneDate
DPDP Act enacted11 August 2023
DPDP Rules 2025 notified13 November 2025
Consent manager framework operationalNovember 2026
Remaining substantive obligations enforceableMay 2027

The notification of the DPDP Rules on 13 November 2025 started an eighteen-month implementation window. Most of the duties that matter to employers, including notice and consent operations, breach notification and handling of individuals' rights requests, become enforceable across that window, with full compliance required by May 2027. Until the final phase lands, Section 43A of the IT Act and the SPDI Rules 2011 continue to apply.

Not for genuine employment purposes, and this is the Act's most important feature for monitoring. Section 7 lists "legitimate uses" for which personal data may be processed without consent, and Section 7(i) covers processing for the purposes of employment, and for safeguarding the employer from loss or liability, which the Act illustrates with examples such as preventing corporate espionage and protecting intellectual property. It also covers providing a service or benefit the employee has sought.

Routine work visibility, attendance, timesheets, security controls and performance supervision fit comfortably within employment purposes. The boundary matters, though. Monitoring that reaches beyond employment purposes, for example into personal communications, off-hours activity or personal devices, cannot ride on Section 7(i). It would need consent, and under the DPDP Act consent must be free, specific, informed and unambiguous, given after a clear notice, and withdrawable. An employee-facing notice describing what is monitored and why is therefore the sensible default even where consent is not strictly required.

What duties will employers have as data fiduciaries?

Under the DPDP Act an employer is a data fiduciary for its employees' digital personal data. The core duties are purpose limitation, reasonable security safeguards, erasure once the purpose is served, and a working grievance mechanism for data principals, who hold rights of access, correction and erasure. Where consent is the basis, a compliant notice must accompany it.

Breach duties are strict. A data fiduciary must inform the Data Protection Board of India and affected individuals without delay on becoming aware of a personal data breach, and file a detailed report with the Board within 72 hours. Larger employers may also be designated Significant Data Fiduciaries, which adds an India-based data protection officer, periodic data protection impact assessments and independent audits.

Penalties are adjudicated by the Data Protection Board and scale to the failure: up to ₹250 crore (2.5 billion rupees) for failing to implement reasonable security safeguards and up to ₹200 crore for failing to notify a breach, per instance. A stored archive of employee screenshots is exactly the kind of asset those two penalty heads were written for: it is sensitive, it is breach-prone, and it is hard to justify retaining.

How should employers prepare before May 2027?

Four steps cover most of the distance. First, inventory what your monitoring stack actually collects and where it is stored. Second, map each processing purpose to Section 7(i) or to consent, and rewrite employee notices so the mapping is visible. Third, impose retention discipline: data kept beyond its purpose becomes pure liability under the erasure duty. Fourth, prefer tools that minimise stored personal data, because every screenshot you never store is a breach report you never file.

How does privacy-first monitoring reduce exposure under the DPDP Act?

The DPDP Act does not ban monitoring; it prices data hoarding. Security safeguards, breach notification and erasure duties all scale with how much personal data you retain, so the cheapest compliance posture is to retain less.

ScreenJournal is an AI work visibility tool that reads on-screen work as it happens, turns it into a detailed timeline of what each person actually did, and then deletes the raw screen data. Timelines accumulate into a searchable chronicle of everyone's work history, and from them ScreenJournal generates timesheets and reports automatically and drafts standup summaries on request, answering questions about any of it in plain English.

Because the transient video capture is deleted immediately during processing, there is no footage archive to secure, breach or explain to the Data Protection Board. It is scoped to work apps and work-related activity; personal activity is skipped in real time, which keeps the processing inside employment purposes where Section 7(i) operates. Employees see the same activity view managers do and can redact entries before a manager sees them, which supports the notice-and-fairness posture the Act expects. A redacted entry is erased entirely and never appears in anyone's search; redaction is unavailable only for roles a company flags as a data-leak risk. You can see what the derived record looks like on the work timelines page, compare it with a screenshot-based tracker in ScreenJournal vs Hubstaff, or read the design rationale in We record work, not people.

One honest caveat: a privacy-first tool does not make an employer compliant by itself. Notices, grievance handling, security practices and breach procedures are the employer's own obligations, and they still need doing.

ScreenJournal is currently available in India and the Philippines, with California and New York City coming soon.

Frequently asked questions

Is the DPDP Act already in force for employers?

Partly. The Act was passed in August 2023 and the DPDP Rules were notified on 13 November 2025, but most employer obligations take effect in phases, with full compliance required by May 2027. Until then the IT Act 2000 and the SPDI Rules 2011 remain the operative regime.

Not for genuine employment purposes. Section 7(i) lets employers process employee personal data without consent for employment purposes and to safeguard the employer from loss or liability. Monitoring that goes beyond those purposes needs valid consent with notice.

What are the penalties under the DPDP Act?

The Data Protection Board of India can impose penalties of up to ₹250 crore for failing to implement reasonable security safeguards and up to ₹200 crore for failing to notify a personal data breach, per instance.

What law applies to employee data until the DPDP Act is enforced?

Section 43A of the Information Technology Act 2000 and the SPDI Rules 2011, which require reasonable security practices for sensitive personal data, alongside contractual and labour law principles.

Is ScreenJournal available in India?

Yes. ScreenJournal is currently available in India and the Philippines, with California and New York City coming soon.

See the work itself, not screenshots of it

Timesheets, reports and answers from the work your team actually did. Available for Windows and macOS, with Linux and mobile support coming soon.