Data PrivacyRight to Data Privacy of Employees at Workplace

May 17, 20230


The ease of doing business has clearly increased with the increased use of technology in enterprises, however, at the same time, it also raises some issues, such as the protection of personal data.  The data rights of the employees and workers have emerged as a new frontier for the employee’s and workers’ rights over a decade.

The concepts of data protection and privacy have not been specifically covered by comprehensive legislation in India yet. However, the rights that are guaranteed under the Constitution of India, should also be applied to the State or to entities owned by the State, and businesses and not to just individuals.

Furthermore, the rights of Data Subjects enshrined in the Digital Personal Data Protection Bill, 2022 (hereinafter referred to as “the Bill”) also serve as a parameter in ascertaining the privacy rights of the employees at the workplace.

The International Labor Organization adopted a Code of Practice on Workers’ Personal Data issued in 1997, that emphasizes the importance of the worker’s rights to informational privacy, access, and audit of personal data records held by the employers.


As a business, protecting the privacy of the employees’ data can frequently be a legal as well as an ethical concern. Customers, employees, and businesses are all protected when personal data being processed by the organization is kept secure.

Although one might not give it much thought, data privacy in the workplace might have a more significant impact on daily life than some realize. Consider all the spam mails and telemarketing calls an individual receives. Such unwarranted calls and emails are a classic example of how personal data of Data Subjects are often transferred outside the secure systems of the organizations, without the due consent or knowledge of the Data Subjects.

Gaining control over and regulating who or what can see one’s personal information, such as phone numbers, email addresses, or other similar details, which is often submitted by employees as a part of the standard requirements of an organization, is the major goal of data privacy at the workplace.


Privacy is a fundamental right, and the existence of data protection rules and regulations is to protect these fundamental rights. Businesses utilize data protection safeguards to demonstrate to customers and employees that the organization can be trusted with their personal data.

If personal information is not safeguarded or the Data Subjects are not entitled with the power to regulate how their information is used, it may be abused in a variety of ways, such as:

1. Used by Cyber Criminals to trick or harass people.

2. Entities may sell personal information to advertisers or other third parties, without the due consent of the Data Subject, which could lead to unwarranted targeted marketing or advertising.

3. Exposure of personal information may lead to unwanted surveillance.

In the event of the occurrence of the aforementioned, the end results could be unfavorable for the individuals, and in respect of the businesses, these outcomes could affect their goodwill, as well as attract fines, penalties, and other legal repercussions.


Numerous details about employees are gathered by employers on a regular basis. Employees must be able to access and understand how their data is being utilized and stored, with full transparency from the organization.

An organization should only collect data that is obligatory or is required for employment purposes, and subsequently, dispose or return such data once the purpose is served. Additionally, the organization should mandatorily inform the Data Subjects, i.e., the Employees as to how the data collected shall be used, processed, stored and/or transferred.


For various objectives relating to payroll, screening candidates based on particular criteria, etc., employers gather Sensitive Personal Data or Information (hereinafter referred to as “SPDI”) of the employees. Employers should be aware of the responsibilities associated with SPDI as well as the potential penalties in the event of non-compliance.

According to the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules ,2011(hereinafter referred to as “the Rules”), every organization must have information security procedures, guidelines, plans, and policies that ought to be implemented in order to safeguard the information assets in possession of the organization.

Employers may be held accountable and have to compensate the concerned employee if they fail to implement “reasonable security practices and procedures” for the protection of an employee’s SPDI, which results in wrongful loss or wrongful gain.

The maximum amount of compensation that may be demanded in the event of any unlikely circumstances resulting in exposure of SPDI is INR 5 crore. According to the Rules, International Standards (IS/ISO/IEC 27001) can be adopted by the organizations to ensure that the minimum standards of safeguarding are in place in order to protect SPDI and personal data of the employees and the users.

If any organization chooses to adhere to standards for data protection other than IS/ISO/IEC 27001, they must have them certified or audited by independent auditors authorized by the central Government, at least once a year.


Connection to the Business: An employer should only gather SPDI of an employee if it is necessary for the performance of the employee’s duties and/or in the event the same is mandated for any legal purpose.

Written approval: Before using the SPDI for any reason, an employer should obtain the written approval of the concerned employee(s).

Right to examine, modify, and/or withdraw consent: An employer must offer its employees the right to examine and modify their SPDIs as well as the ability to withdraw their consent at any time. If the consent is retracted, the employer has the right to stop the offered services based on the pertinent information.

The abovementioned is also applicable for the personal information of the employees.

In addition to any applicable legislative requirements or information requested by Government authorities, an employer must get consent from the employee before disclosing such personal information or SPDI to a third party.


In the case of Michael A. Smyth v. The Pillsbury Company, [914 F. Supp. 97 (E.D. Pa. 1996)], the Appellant alleged that the Defendant unlawfully fired the former along with violating the Appellant’s right to privacy.

To facilitate internal company interactions, the Defendant incorporated an email network and told its workers that all email correspondence would be treated as confidential. Additionally, it gave its staff members the assurance that correspondence would not be intercepted and used by the Defendant against its employees for any disciplinary reasons whatsoever.

However, when the Appellant responded to and exchanged emails with his supervisor via the Defendant’s email system on his home computer, the Defendant intercepted the Appellant’s emails and terminated the Appellant’s employment as he had sent “inappropriate and unprofessional” emails.

The Court held that the employee cannot have a reasonable expectation of privacy when he sends an email to his supervisor over the organization’s email system. The Court concluded that such communications pertaining to the scope of employment lack any privacy interest.

In the case of Copland v. United Kingdom [(2007) ECHR 253], the Appellant’s phone line, email account, and internet usage were being monitored without the consent or knowledge of the Data Subject herein, which was in complete violation of Article 8(1) the European Convention on Human Rights (“ECHR”). The European Court of Human Rights ruled that the Appellant’s private life was indeed safeguarded by the provisions of the ECHR, which was being violated herein, and such private life included any communication outside of work, including phone conversations, emails, and internet usage.


An immense amount of data, including a variety of files and databases are spread across several storage devices and cloud repositories, that is usually under the management of an organization. Due to the widespread storage of employee data, it is often easy to misplace such data, thereby making it susceptible to exposure and third-party invasion threats.

To tackle the issues pertaining to unwarranted data exposure, organizations ought to implement the requisite data management systems and policies.

More is not always better; organizations are beginning to realize that data must have context and value because storing and protecting all data indefinitely poses concerns for attack and legal discovery. Considering the volume of data collected and its value to the company, modern enterprises must establish balanced data retention policies.

In order to address the challenges, the organizations must have a clear awareness of the data they have, its sensitivity level, and the lifecycle of such data. These fundamental factors form the base of the security and privacy policies implemented by the organizations.

 Protective Measures to Combat the Challenges

i. Collection of only required data for a definitive purpose instead of collection of data in bulk.

ii. Implement multi-factor authentication (“MFA”) or other robust authentication protocols for centralized network systems of the organization.

iii. Secure data in motion and at rest with encryption and other security tools, including data backup and restoration testing.

iv. Consistently inform and create awareness amongst staff, partners, and clients on data privacy policies.

v. Ensure that any third-party storage providers, such as cloud storage providers, practice the same level of data protection measures as the organization.


With the dynamic shift from manual records to digitization, almost every organization has databases in its cloud servers containing user and employee data. It is important that the organizations implement adequate and robust data protection measures to safeguard such data which is essentially as asset for the organization.

Due to the lack of a dedicated data protection legislation in India, it is pivotal that the organizations constantly self-asses their data protection parameters, in the absence of which, the data stored by the organization might be subject to data breaches and exposure.

Organizations should implement data management systems and data warehouses to keep track of the data collected by them, and also ensure that the data is safely disposed or returned to the Data Subject once the purpose is served. Given the current digital era, the deployment of new data and algorithmic technologies at the workplace in the place of the traditional work standards, is the need of the hour.

– Team AMLEGALS assisted by Ms. Ananya Pandey (Intern)

For any query or feedback, please feel free to get in touch with or

© 2020-21 AMLEGALS Law Firm in Ahmedabad, Mumbai, Kolkata, New Delhi, Bengaluru for IBC, GST, Arbitration, Contract, Due Diligence, Corporate Laws, IPR, White Collar Crime, Litigation & Startup Advisory, Legal Advisory.


Disclaimer & Confirmation As per the rules of the Bar Council of India, law firms are not permitted to solicit work and advertise. By clicking on the “I AGREE” button below, user acknowledges the following:
    • there has been no advertisements, personal communication, solicitation, invitation or inducement of any sort whatsoever from us or any of our members to solicit any work through this website;
    • user wishes to gain more information about AMLEGALS and its attorneys for his/her own information and use;
  • the information about us is provided to the user on his/her specific request and any information obtained or materials downloaded from this website is completely at their own volition and any transmission, receipt or use of this site does not create any lawyer-client relationship; and that
  • We are not responsible for any reliance that a user places on such information and shall not be liable for any loss or damage caused due to any inaccuracy in or exclusion of any information, or its interpretation thereof.
However, the user is advised to confirm the veracity of the same from independent and expert sources.