Is it legal for my boss to monitor my computer and keystrokes in India?
Updated · 6 July 2026
Yes, on company-owned devices or networks — but only if clearly disclosed in your IT policy. Covert monitoring or monitoring personal devices is restricted by the DPDPA, 2023.
Can my employer legally monitor my work computer?
Yes — on company-owned devices and networks, if the monitoring is reasonable, proportionate, and disclosed to employees. Indian law permits an employer to:
(1) Monitor email, browsing, file access and screen activity on company-issued devices;
(2) Log VPN, network and software usage on the corporate network;
(3) Use endpoint detection and response (EDR) tools for cybersecurity;
(4) Conduct periodic audits of work-related data.
This is grounded in the employment contract (you implicitly consent to legitimate workplace monitoring when joining), Section 69B of the IT Act, 2000 for traffic monitoring, and is qualified by your right to privacy under Puttaswamy.
The Supreme Court in K.S. Puttaswamy v. Union of India, (2017) 10 SCC 1 held that privacy in the workplace is a fundamental right, restrictable only by a proportionate measure with a legitimate aim.
(1) Monitor email, browsing, file access and screen activity on company-issued devices;
(2) Log VPN, network and software usage on the corporate network;
(3) Use endpoint detection and response (EDR) tools for cybersecurity;
(4) Conduct periodic audits of work-related data.
This is grounded in the employment contract (you implicitly consent to legitimate workplace monitoring when joining), Section 69B of the IT Act, 2000 for traffic monitoring, and is qualified by your right to privacy under Puttaswamy.
The Supreme Court in K.S. Puttaswamy v. Union of India, (2017) 10 SCC 1 held that privacy in the workplace is a fundamental right, restrictable only by a proportionate measure with a legitimate aim.
What must my employer disclose before monitoring me?
Lawful workplace monitoring requires transparency. Your employer must disclose the practice through one or more of:
(1) IT Acceptable Use Policy — typically in the employee handbook, listing what's monitored and how;
(2) Employment contract clauses — specifying the scope of monitoring as a condition of employment;
(3) Privacy notice under the DPDPA, 2023 — describing what personal data is processed, for what purpose, and your rights regarding it;
(4) Visible signs and login banners — many companies display a notice that the computer/network is monitored.
Covert monitoring — installing spyware secretly, recording keystrokes without disclosure, or using webcams without notice — is unlawful. Such employer conduct can be challenged under the DPDPA, the IT Act, and even as a breach of the employment contract.
(1) IT Acceptable Use Policy — typically in the employee handbook, listing what's monitored and how;
(2) Employment contract clauses — specifying the scope of monitoring as a condition of employment;
(3) Privacy notice under the DPDPA, 2023 — describing what personal data is processed, for what purpose, and your rights regarding it;
(4) Visible signs and login banners — many companies display a notice that the computer/network is monitored.
Covert monitoring — installing spyware secretly, recording keystrokes without disclosure, or using webcams without notice — is unlawful. Such employer conduct can be challenged under the DPDPA, the IT Act, and even as a breach of the employment contract.
Is monitoring on my personal device allowed?
Only with specific, informed consent — and even then, the scope is narrow. Section 6 of the Digital Personal Data Protection Act, 2023 requires consent for processing personal data to be:
(1) Free — not coerced by job pressure;
(2) Specific — for an identified purpose, not a blanket waiver;
(3) Informed — you must know what's being collected and why;
(4) Unambiguous and given by clear affirmative action;
(5) Withdrawable — you can revoke consent at any time.
BYOD (Bring Your Own Device) policies typically install a mobile device management (MDM) profile that sandboxes corporate apps. This is acceptable. But monitoring your personal apps, location, calls, photos — even when you carry a personal device for work — is generally NOT acceptable unless you have given specific informed consent for each category.
(1) Free — not coerced by job pressure;
(2) Specific — for an identified purpose, not a blanket waiver;
(3) Informed — you must know what's being collected and why;
(4) Unambiguous and given by clear affirmative action;
(5) Withdrawable — you can revoke consent at any time.
BYOD (Bring Your Own Device) policies typically install a mobile device management (MDM) profile that sandboxes corporate apps. This is acceptable. But monitoring your personal apps, location, calls, photos — even when you carry a personal device for work — is generally NOT acceptable unless you have given specific informed consent for each category.
What does the DPDPA, 2023 say about workplace surveillance?
The DPDPA, 2023 imposes meaningful constraints on employer surveillance practices:
(1) Section 4 — Purpose limitation: the employer (a 'Data Fiduciary') can collect only personal data necessary for a 'specified purpose';
(2) Section 5 — Notice: employees must be told what data is being processed and why;
(3) Section 6 — Consent for sensitive processing (covered above);
(4) Section 11 — Right to information about your processed personal data;
(5) Section 12 — Right to correction and erasure;
(6) Section 13 — Grievance redressal — your employer must appoint a Data Protection Officer (DPO) or grievance handler;
(7) Penalties — up to ₹250 crore for serious violations, imposed by the Data Protection Board of India.
The DPDPA applies even to legitimate workplace monitoring — it doesn't bar surveillance, but it does require transparency, proportionality, and accountability.
(1) Section 4 — Purpose limitation: the employer (a 'Data Fiduciary') can collect only personal data necessary for a 'specified purpose';
(2) Section 5 — Notice: employees must be told what data is being processed and why;
(3) Section 6 — Consent for sensitive processing (covered above);
(4) Section 11 — Right to information about your processed personal data;
(5) Section 12 — Right to correction and erasure;
(6) Section 13 — Grievance redressal — your employer must appoint a Data Protection Officer (DPO) or grievance handler;
(7) Penalties — up to ₹250 crore for serious violations, imposed by the Data Protection Board of India.
The DPDPA applies even to legitimate workplace monitoring — it doesn't bar surveillance, but it does require transparency, proportionality, and accountability.
What can I do if my privacy at work has been breached?
Multiple parallel remedies depending on severity:
(1) Internal grievance — write to the Data Protection Officer (DPO) or HR with the specific breach, citing Section 13 DPDPA. Often resolves quickly when company wants to avoid escalation;
(2) Data Protection Board of India — once fully operational (notification awaited), file a complaint there under the DPDPA;
(3) Adjudicating Officer under Section 46 of the IT Act — for breaches involving sensitive personal data, claim compensation;
(4) Civil suit for damages — for invasion of privacy, with reference to Puttaswamy;
(5) Constructive dismissal claim — if the surveillance is so egregious as to make continued employment untenable;
(6) Industrial Tribunal / Labour Court — for 'workmen' alleging unfair labour practices.
Engage a reputable, specialised employment/privacy lawyer for serious cases. Document everything — emails, screenshots of surveillance notifications, internal correspondence.
(1) Internal grievance — write to the Data Protection Officer (DPO) or HR with the specific breach, citing Section 13 DPDPA. Often resolves quickly when company wants to avoid escalation;
(2) Data Protection Board of India — once fully operational (notification awaited), file a complaint there under the DPDPA;
(3) Adjudicating Officer under Section 46 of the IT Act — for breaches involving sensitive personal data, claim compensation;
(4) Civil suit for damages — for invasion of privacy, with reference to Puttaswamy;
(5) Constructive dismissal claim — if the surveillance is so egregious as to make continued employment untenable;
(6) Industrial Tribunal / Labour Court — for 'workmen' alleging unfair labour practices.
Engage a reputable, specialised employment/privacy lawyer for serious cases. Document everything — emails, screenshots of surveillance notifications, internal correspondence.
Reference Citation: Section 69B, IT Act, 2000; DPDPA, 2023; K.S. Puttaswamy v. Union of India, (2017) 10 SCC 1
Disclaimer: Content provided here is for general legal knowledge only and does not constitute formal legal advice. If you have an urgent or specific matter, please consult a registered advocate.