SINGAPORE: Singapore's privacy watchdog the Personal Data Protection Commission (PDPC) has proposed changes to the advisory guidelines on how companies handle individual's NRIC numbers, copies or the physical NRIC and has launched a public consultation to solicit views on the revisions.



In revising the advisory guidelines, the PDPC said in a press release on Tuesday (Nov 7) it had taken into consideration current industry practices, as well as the views and feedback of individuals on the handling of their NRIC.

The revised advisory guidelines address whether organisations may collect, use or disclose individuals’ NRIC numbers or a copy of their NRIC, or retain their physical NRIC.

The guidelines also address other data protection provisions which may apply in the collection, use or disclosure of NRIC numbers or copies of the NRIC, or the retention of the physical NRIC.



"The NRIC number is a unique identifier assigned by the Government to each Singapore resident that is often used as a required document or identifier for transactions with the Government, as well as certain commercial transactions," PDPC said.



"As the NRIC number is a permanent and irreplaceable identifier which can be used to unlock large amounts of information relating to the individual, the indiscriminate collection and use of individuals’ NRIC numbers is of special concern as it increases the risk that the NRIC numbers may be obtained and used for illegal activities such as identity theft and fraud," the Commission added.

The collection of an individual’s physical NRIC, or a copy of it, is also of concern, PDPC said.



"The physical NRIC not only contains the individual’s NRIC number, but also other personal data, such as the individual’s full name, photograph, iris image, thumbprint and residential address," it added.

NRIC STILL REQUIRED FOR MOBILE SUBSCRIPTION, CHECKING INTO HOTELS

In general, PDPC said organisations should not collect, use or disclose an individual’s NRIC number or a copy of the NRIC, except in the following circumstances:

Collection, use or disclosure of the NRIC number or copy of the NRIC is required under the law; or

Collection, use or disclosure of the NRIC number or copy of the NRIC is necessary to accurately establish and verify the identity of the individual

These situations include when seeking medical treatment at a general practitioner clinic, enrolling children into childcare centres, checking into a hotel and subscribing to a mobile telephone line.

"Circumstances which PDPC would consider necessary to accurately establish and verify the identity of individuals include situations or transactions where verification is necessary to prevent a risk of significant harm or impact to the individual and/or the organisation, for example entering into high value contracts such as property transactions, and applications for healthcare or travel insurance to prevent fraudulent claims," the PDPC said.



These circumstances include the disclosure of personal data without consent in an emergency situation and the collection of NRIC numbers for entry into a secured building.

NRIC NOT REQUIRED FOR BICYCLE RENTAL, LUCKY DRAWS

The PDPC also listed scenarios where the collection, use or disclosure of NRIC numbers or a copy of the NRIC is not required under any law.

These include the redemption of free parking, online purchase of movie tickets as well as when signing up for retail membership and lucky draw.



Organisations also should not retain an individual’s physical NRIC unless required under the law, or where it is necessary to accurately establish and verify the identity of the individual.



"To be clear, even if an organisation temporarily retains an individual’s physical NRIC (e.g. as collateral) without recording any personal data contained in the NRIC, PDPC generally considers the organisation to have collected all the personal data in the NRIC, for the duration the physical NRIC is in the possession or under the control of the organisation," PDPC said.



Hence, organisations are to comply with the obligations under the (Personal Data Protection Act) PDPA, such as the obligation to make reasonable security arrangements to protect the personal data in its possession or under its control from unauthorised disclosure, if it collects an individual’s physical NRIC or a copy of the NRIC, it added.

Instances listed by the Commission where organisations should not retain an individual's NRIC include when renting a bicycle or when issuing visitor badges for buildings.

In certain circumstances, an organisation may merely have sight of an individual’s physical NRIC and the information on it for verification purposes, the Commission added.



PDPC said it may consider that there was no intention to obtain control or possession of the physical NRIC in these circumstances and hence may not consider it a collection or retention of personal data on the physical NRIC.



These circumstances include the checking of physical NRICs for the sale of cigarettes to verify age.

ORGANISATIONS ALLOWED 12 MONTHS TO IMPLEMENT CHANGES

The PDPC added that it is aware that organisations may require some time to review existing business practices and implement operational changes to adopt alternatives in place of NRIC numbers, physical NRIC or copies of the NRIC.

Hence, it is proposing to allow organisations a period of up to 12 months from the issuance of the revised advisory guidelines, to review and implement the necessary changes to its practices and processes.



Organisations should also consider alternatives to use in place of NRIC numbers or copies of the NRIC, such as organisation or user-generated ID or password, tracking number, organisation-issued QR code, or monetary deposit.

"Organisations should also consider whether the alternatives provided are reasonable, and avoid collecting excessive personal data as an alternative to the individual’s NRIC numbers or a copy of the NRIC," PDPC added.

The PDPC has launched a public consultation to solicit views and comments on the proposed revised advisory guidelines, and whether there are "additional issues or common scenarios" that these advisory guidelines should address.

Here is a proposed technical guide to accompany the revised advisory guidelines:

Question 1: What are your views on the proposed criteria for limiting the collection, use or disclosure of individuals’ NRIC numbers or copies of the NRIC to instances where:

(a) it's required under the law; and

(b) it's necessary to accurately establish, verify the identity of the individual

Question 2: What are your views on the proposed criteria for limiting the retention of individuals’ physical NRIC to instances where:

(a) it's required under the law; and



(b) it's necessary to accurately establish, verify the identity of the individual

Question 3: Are there common scenarios or additional issues (e.g. updating of information systems) that these advisory guidelines should address?

Question 4: What are your views on the proposed provision of up to one year from the issuance of the advisory guidelines for organisations to review and implement changes to their practices and processes involving the collection, use or disclosure of NRIC numbers or copies of the NRIC, or the retention of physical NRIC?

Those who wish to give feedback can do so by Dec 18 at 5pm via email to corporate@pdpc.gov.sg.

Details of the consultation paper and submission procedures are available on the PDPC website.