Home Insights The Intersection Of Data Protection Act 2023 And Employee Privacy Rights: Balancing...

The Intersection Of Data Protection Act 2023 And Employee Privacy Rights: Balancing Workplace Surveillance And Data Security – IMPRI Impact And Policy Research Institute

The Intersection Of Data Protection Act 2023 And Employee Privacy Rights: Balancing Workplace Surveillance And Data Security

Nadiya Murshed


The intention of passing the Digital Personal Data Protection Act, 2023 (“the DPDP Act”) by the government was to protect the private information of the citizens. This applies to the workplaces where the data related to employees is collected and processed for different reasons such as insurance, medical records, financial security benefits and other similar reasons.

Prior to this legislation, the governing statute for the sensitive information of the citizens was the Information Technology Act, 2000. The IT Act covered the breach of data through providing compensation under Section 43A. Similarly, the disclosure of information without the consent or in violation of law was punishable under Section 72A of the IT Act. Further, Section 87(2)(ob) provided Central Government with the power to make necessary rules regarding the protection of data.

The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (IT Rules) were framed by the Central Government for imposing necessary obligations for handling sensitive and personal data. The DPDP Act will replace IT Act as it eases the entire process.

Data Privacy: Source and Impact

The landmark judgement of Justice K.S. Puttaswamy (Retd) v. Union Of India held that under Article 21 of the Constitution, Privacy is an important aspect of any persons life and it adds to the dignity of the human being as an essential facet. The choices available to the person for his life are intrinsic to privacy as the life of the person are controlled by the autonomy available to the person along with the freedom to control vital aspects of his/ her life.

This can only be achieved if there are certain grounds maintained for the privacy:

  1. Restricting the use, collection, storage and processing of information which can be recognized as ‘personal’ and it should only be for the accomplishment of goals of the organization and there should be transparency regarding such policies which govern these activities;
  2. The person dealing with such personal information should be well trained to understand the sensitive nature of the information and to implement the systematic framework that can monitor and ensure accountability.

This will create accountability on the organization overall and the usage of the information will be limited to the extent permissible under the law. The overall choices provided to the person giving the information should have the choice for usage, storing, retention, and collection of the information which is or deemed private. In the Europe, the EU Data Protection Authorities impose penalties for any violation of policies that relates to the consent of the person while submitting the information with the companies. This was dealt earlier in India with the help of Information Technology Act, 2000.

Importance of Consent Under the DPDP Act

As per the DPDP Act, the consent is required for processing employee data. Similar to the Indian Contracts Act, 1872, the consent should be free. Along with this, there should not be any ambiguity around the consent and the person providing the consent informed regarding the processing of their personal data for the specific purpose i.e., the limitation for processing should be limited to the purpose strictly which is also termed as “legitimate use” as per the Act.

Additionally, the person has a choice to withdraw the consent which should be like process of providing consent, which is difficult in nature. This is because for the legitimate use, the consent given by the individual per se is not known and this is the reason it becomes difficult to withdraw the same.

The companies should be aware of that the legitimate use does not extend to the Sensitive Personal Data and Children’s data, which if not complied by the companies can attract legal actions. The Act also lays down that notice should be provided at every instance when the consent is sought. If there is any consent that has been provided prior to 11 August 2023, then a fresh notice should be issued for the processing of data to seek the consent again.

There are different legitimate uses as per the DPDP Act for the personal data that consists of all the lawful grounds for data processing. Other than the purposes such as government, emergency, or public health, the “voluntary sharing” of personal data under Section 7(a) and “employment purposes” under Section 7(i) of the DPDP Act are the most important ones under the law.

The data can be only processed by the Data Fiduciary if there is a valid consent has been obtained from the person for the personal data that will be used for the specific purpose informed to the person. There can be instances when the personal data may be processed without the consent of the person for the purpose of employment or in the event where employer is required to protect themselves from loss or liability, maintaining the trade secrets, corporate espionage prevention, protection of Intellectual property, or classified information.

The information given by the person during the course of employment for the employment purposes and processed in relation to employment will be deemed as legitimate use. Due to the statutory obligations, it is important for the information to be disclosed to the employee before the processing of the personal data collected. The usage and handling of the personal data also forms to be the part of such disclosure. The legitimate use might extend its scope based on the judicial interpretation and various byelaws as it the “contractual necessity” and “legitimate interest” which are present in GDPR are not present in the DPDP Act.

Legitimate purpose is left open to the interpretation and the purpose of employment under the Section 7 of the DPDP Act can extend as per the company’s policies. The burden of the protection should have ideally been on the organization. But, it is falling upon the individual who should be protected.

Data Processing by the Organization

The Human Resources should be more mindful of these activities as it involves the regular cross-border transfer of the data. The Act also helps in identifying and distinguishing the Personally Identifiable Information (PII) and maintain the robust measures to prevent breach of any data held with HR. Transparency is an important factor for the DPDP Act and the organizations that are collecting the personal data of the employee and are processing the same.

Prior to this, these were covered under the sensitive personal data or information (SDPI) under IT rules and the Rule 5 covered the correction rights, access and withdrawal. This also paved the way for compensation in case of breach of data. The Consent of the employee was covered under Rule 5(1), Retention under 5(4), Safeguarding under 5(8) and Rule 8 provided the necessary measures that were required to protect the data. IT Rules similar to DPDP Act focused on the Privacy Policy of the company under Rule 4. However, the DPDP Act is comprehensive as it broadens the perspective considering the data processing across borders and other aspects listed under Section 8 of the DPDP Act.

Compliances for the Employee Data

DPDP Act provides strict restriction for the usage of personal information and also places accountability. Section 8 of the DPDP Act places various obligations on the employer which consists of the following[12]:

  • Correction Rights: Employee can know the data held with employer and can update the correct and complete data which also allows them the right to delete the data. The right post the termination is not clear.
  • Access to the Data: Section 11 of the DPDP Act provides the employees with right to access the data and the data fiduciaries with whom the data is held or shared.
  • Processing of Personal Data: As per the DPDP Act, the different organizations which keep record of financial information shall ensure the adequate protection measures for the personal data held.
  • Retention: The data should be retained only for the limited purpose that are informed to the employee or as per the required law. If not, the organization should justify the same.
  • Security measures: There should be adequate security measures to safeguard the data through technical and other available encryption methods to prevent any breach. In case, the processing done through third-party then the employer should ensure such measures taken by the third-party and verify the same to the employee.
  • Breach of Data: In case of the breach each individual whose data is impacted should be notified. Although, the reporting of such notification is not yet prescribed. Till the time the breach is not cured, the data fiduciaries should take adequate measures to prevent any further breaches along with prescribing the methods for managing such breaches.
  • Grievance Redressal: Data grievance redressal mechanism is a mandate under the DPDP Act and it will be responsible to respond to the employee for any queries.
  • Data protection officer: Significant Data Fiduciary as per the DPDP Act shall be appointed for the sensitive or special category of data processing organizations under Section 10. If the organization is involved in large-scale data processing, then, the DPO will be appointed similar to GDPR.

In case the compliances are not in place, the penalties will be applicable of INR 10,000 that can be extended to INR 2500,00,00,000.


To achieve the protection of personal data of an individual, the organization should be transparent and have clear policies that can establish a framework for usage and safeguarding the personal data of the employees, that shall be applicable in and outside the organization. This can only be possible if there are Privacy safeguards available to the person.

Every person’s privacy is right available under the law which should be free from unwanted and uninvited intrusions. As per the Constitution of India, this is a fundamental right available under Article 21. The policies and the laws should be in place to protect the private information that the person does not want to disclose. They need to define what will be deemed as personal data and the terms and conditions around it that can determine the purpose of obtaining, retaining, processing, storing and protection of the data.

Apart from this, the duration is also important to ensure that the data is protected. The usage of the personal data should only be for the necessary requirements where the information such as Aadhaar number, PAN card number or other similar personal information should be used.



  1. The Indian Constitution
  2. The Indian Contracts Act, 1872
  3. The IT Act 2000
  4. The Digital Personal Data Protection Act, 2023


Justice K.S. Puttaswamy (Retd) v. Union Of India WRIT PETITION (CIVIL) NO. 494 OF 2012

Online Articles

  1. Arjun Harkaulit, SCC Blog, The Fine Balance — Surveillance, Security, and the Right to Privacy, August 03, 2023, https://www.scconline.com/blog/post/2023/08/03/the-fine-balance-surveillance-security-and-the-right-to-privacy/
  2. Priti Suri, Mondaq, DPDP Act: Balancing Employee Data & Privacy Rights, August 25, 2023, available DPDP Act: Balancing Employee Data & Privacy Rights – Privacy Protection – India (mondaq.com)
  3. India Law Offices LLP, Is an Employer in India Obliged to Protect an Employee’s Personal Data?, September 21, 2023, available https://www.indialawoffices.com/legal-articles/is-emloyer-obliged-protect-employee-personal-data (Last visited on October 13, 2023).
  4. Justice K.S. Puttaswamy (Retd) v. Union Of India WRIT PETITION (CIVIL) NO. 494 OF 2012.
  5. Priti Suri, Mondaq, DPDP Act: Balancing Employee Data & Privacy Rights, August 25, 2023, available DPDP Act: Balancing Employee Data & Privacy Rights – Privacy Protection – India (mondaq.com) (Last visited on October 04, 2023).
  6. Harshavardhan Godulga, India’s Digital Data Protection Bill: Implications of deemed consent, August 16, 2023, available https://www.ey.com/en_in/cybersecurity/india-s-digital-data-protection-bill-implications-of-deemed-consent (Last visted on October 13, 2023).
  7. Arpita Saha, Navigating Data Protection in HR: An In-Depth Look at India’s DPDP Bill, August 21, 2023, available https://www.linkedin.com/pulse/navigating-data-protection-hr-in-depth-look-indias-dpdp-arpita-saha/ (Last visited on October 13, 2023).

Nadiya Murshed is a research intern at IMPRI.

Acknowledgement: Author would like to thank Prasangana Paul, Nikita Saha and Vaishali Singh for their kind comments and suggestions to improve the article.

Read more at IMPRI:

Trump Returns: A Recapitulation

Hollow Claims?: Examining Modi Government’s White Paper on the UPA Administration

Previous articleTrump Returns: A Recapitulation – IMPRI Impact And Policy Research Institute
Next articleDecoding India's Diplomatic Triumph In Qatar – IMPRI Impact And Policy Research Institute
IMPRI, a startup research think tank, is a platform for pro-active, independent, non-partisan and policy-based research. It contributes to debates and deliberations for action-based solutions to a host of strategic issues. IMPRI is committed to democracy, mobilization and community building.


Please enter your comment!
Please enter your name here