The legal floor: DPDP Act 2023 in one paragraph
The Digital Personal Data Protection Act 2023 (DPDP) is India’s first comprehensive personal-data law, and employee data sits squarely inside it. The core idea is simple: you may process personal data for a lawful purpose that you have told the person about (notice, Section 5) and for which you have consent or a recognised legitimate use (Section 6 and related provisions). On top of that sit principles you will meet repeatedly in this article — purpose limitation, data minimisation, storage limitation and security safeguards. None of this prohibits running a payroll, tracking attendance or measuring whether work is moving. It simply means each category of employee data needs an answer to four questions: why are we collecting it, did we tell the employee, is it proportionate, and when do we delete it.
Because the Act is principle-based and rules are still maturing, the conservative reading is the safe one. Where a legitimate-use ground is unclear, fall back to clear notice plus consent. Throughout this guide, treat the specifics as fact-dependent and verify with counsel.
What you can clearly collect
Most routine HR and payroll processing is on solid ground when it is tied to an obvious employment purpose and covered by notice. The categories below are the everyday backbone of an India employment relationship:
- Identity and contact: name, employee ID, personal and official email, phone, address, emergency contact — needed to administer the relationship.
- Statutory payroll and tax: PAN, bank account, PF/UAN, ESI, Professional Tax, TDS records. These are not just permitted; other laws require them, which also drives their retention periods.
- Attendance and working hours: clock-in/out, leave, shift records — proportionate operational data.
- Role and performance: designation, reporting line, appraisal records, training history — collected for managing and developing the employee.
- Proportionate work-system activity: aggregate productivity signals tied to a stated purpose — calendar load, ticket and project flow, focus-time artefacts — where the employee has been told what is measured and why.
The common thread is necessity. If you can articulate the purpose in one sentence and the data is the minimum needed to serve it, you are usually in the clear — provided the employee received notice. Verify with counsel.
What employee data needs a stronger justification?
Some data is collectible but carries higher scrutiny because it is more intrusive or more easily abused. Collecting it is a deliberate decision, not a default:
- Biometric attendance (fingerprint, face): treat as sensitive. Use clear notice, strict access control, a short retention window, and prefer a less intrusive method if one achieves the same goal.
- Location data from company devices or field apps: justifiable for field roles on duty; hard to justify for off-duty tracking.
- Screen captures and detailed activity logs: defensible only when proportionate, disclosed, and limited — not continuous, not covert.
- CCTV in the workplace: permitted for safety/security with signage and a defined purpose; avoid private zones.
Key figures for the file — the DPDP Act 2023 provides for financial penalties for serious violations, with the most serious maximums prescribed in the Act’s Schedule. Separately, any India employer running AI to evaluate or monitor workers while serving EU customers should check the EU AI Act’s high-risk classification for workplace systems. Both regimes are fact-specific — verify with counsel.
What you should not collect
The fastest way to reduce both legal exposure and breach risk is to not collect data you cannot tie to a purpose. The DPDP Act’s minimisation principle and plain operational sense point the same direction. Steer clear of:
- Private social-media accounts and off-duty online activity.
- Personal-device contents (photos, personal messages) on BYOD hardware.
- Health, family or financial details beyond what statute requires.
- Keystroke logging and email/chat content capture for ordinary productivity visibility — the heaviest possible surface for the smallest real benefit.
- Covert monitoring of any kind, which is the hardest configuration to defend.
Every category you remove is one fewer notice to write, one fewer purpose to defend, one fewer retention schedule to maintain and one fewer thing that can leak in a breach.
How much consent and notice do you actually need?
Notice is non-negotiable: before or at the point of collection, the employee should know what is collected, why, and how to exercise their rights. Consent is required in most cases, although the Act recognises certain employment-related legitimate uses. The pragmatic posture is a layered approach — a clear, plain-language employee privacy notice that maps each data category to a purpose and a retention period, plus explicit consent for anything outside the obvious legitimate-use core (for example, optional wellness data or anything sensitive). Where the legitimate-use basis is uncertain, default to consent. Because the boundary is fact-specific and guidance is still developing, verify the basis for each category with counsel.
Data category decision table
| Data category | Typical basis | Collect? | Watch-outs |
|---|---|---|---|
| Identity & contact | Legitimate use / notice | Yes | Keep current; limit access |
| Statutory payroll (PF/ESI/PT/TDS/PAN/bank) | Legal obligation | Yes | Statutory retention applies |
| Attendance & hours | Legitimate use / notice | Yes | Keep proportionate |
| Performance & appraisal | Notice (consent if sensitive) | Yes | Accuracy; right to correction |
| Proportionate productivity signals | Notice + clear purpose | Yes, scoped | Disclose what is measured |
| Biometric attendance | Notice + consent | With care | Sensitive; minimise & secure |
| Screen / keystroke / content capture | Hard to justify | Avoid for productivity | Highest risk; never covert |
| Private / off-duty data | None | No | Out of scope of employment |
This table is a planning aid, not legal advice; the correct basis for any category depends on your facts. Verify with counsel.
A practical compliance checklist
If you are setting up or reviewing employee data collection in India, work through this short list:
- Inventory: list every category of employee data you collect today and where it lives.
- Purpose: write a one-line purpose for each. If you cannot, stop collecting it.
- Notice: publish a plain-language employee privacy notice mapping category → purpose → retention.
- Basis: confirm legitimate use or capture consent for each category; default to consent when unsure.
- Minimise: remove anything not tied to a purpose — especially content capture and off-duty data.
- Retention: set and enforce a delete schedule per category; honour statutory periods.
- Security & rights: restrict access, log it, and give employees a route to access and correct their data.
Choosing tools that measure outcome signals rather than capturing screen or keystroke content keeps most of this checklist short by design — there is simply less data to govern.
Map your employee data to a DPDP-defensible baseline
See how a productivity platform that scores outcome signals — not screenshots or keystrokes — keeps your data inventory short and your notice simple. Free walkthrough, no obligation.
Frequently asked questions
What employee data can a company legally collect in India?
Under the DPDP Act 2023 a company can collect employee personal data that is necessary for a lawful, specified purpose with notice and consent (or a recognised legitimate use such as employment). In practice that covers identity and contact details, statutory payroll data (PF, ESI, PT, TDS, PAN, bank account), attendance and working hours, role and performance records, and work-system activity that is proportionate to a stated business purpose. Collection must be limited to what the purpose actually needs. Verify with counsel.
Does an employer in India need employee consent to collect data?
Often, yes. The DPDP Act 2023 requires notice and, in most cases, consent before processing personal data (Sections 5-6). The Act also recognises certain legitimate uses tied to employment, but the safe posture is a clear notice describing what is collected, why, and for how long, plus consent where the legitimate-use ground does not clearly apply. The exact basis is fact-specific, so verify with counsel.
Can a company in India read employee emails or record screens?
It is not automatically illegal, but content capture such as reading email bodies, recording screens or logging keystrokes is the highest-risk category. Each is a separate processing purpose needing its own notice, justification and retention answer under the DPDP Act, and covert capture is the hardest configuration to defend. Many employers achieve their actual goal with proportionate activity signals instead of content surveillance. Verify with counsel.
Is biometric attendance data legal to collect in India?
Biometric attendance (fingerprint or face) can be collected for a legitimate workforce purpose, but it is sensitive in nature and should be backed by clear notice, a defensible purpose, strict access controls and a short retention window. Where a less intrusive method achieves the same goal, proportionality favours it. Treat biometrics as a high-scrutiny category and verify with counsel.
How long can an employer keep employee data in India?
Only as long as needed for the stated purpose or as required by other laws (for example, statutory payroll and tax records have their own retention periods). The DPDP Act's storage-limitation principle means data collected for monitoring or recruitment should not be kept indefinitely. Set a written retention schedule per data category and delete when the purpose ends. Verify retention periods with counsel.
What employee data should a company avoid collecting?
Avoid collecting anything not tied to a clear purpose: private social media, off-duty location, personal device contents, health or family details beyond statutory need, and broad content capture you cannot justify. Data minimisation is both a DPDP principle and the cheapest way to shrink breach and compliance exposure. Verify with counsel.
What penalties apply for unlawful employee data collection in India?
The DPDP Act 2023 provides for financial penalties for serious violations, with the most serious figures prescribed in the Act's Schedule. Exact exposure depends on the violation, the safeguards in place and regulatory discretion, so treat published maximums as a ceiling, not a forecast. Verify current penalty provisions and your specific exposure with counsel.
Disclaimer: This article is general information, not legal advice. The DPDP Act 2023 is principle-based and rules continue to develop; the lawful basis, notice and consent requirements, retention periods and penalties are fact-specific. Verify the correct treatment of each data category, and your specific exposure, with qualified counsel before acting.