SINGAPORE: The costs of changing their IT systems to stop capturing people’s full NRIC number for verification as well as the time needed to do so are the challenges security and building management service providers will face, according to industry stakeholders.
Their response comes after the Personal Data Privacy Commission (PDPC) announced that organisations will have to stop the unnecessary and indiscriminate collection of people’s NRIC numbers from September 2019.
In an email response to Channel NewsAsia, the Association of Property and Facility Managers (APFM) said it is “supportive” of the latest guidelines as the new measures will “provide added protection, minimise incidents of identity theft and give holders of NRICs a better peace of mind”.
The spokesperson added that while it does not see “any major challenges”, it noted the recording of only partial NRIC data will require software tweaks and time to deploy the new systems.
“Nevertheless, our members are pleased that PDPC and the Info-communications Media Development Authority (IMDA) will be publishing the technical guidelines and template notices as well as identifying pre-approved technology solutions to adopt,” the spokesperson said.
Shedding more light on the concerns, Mr Raj Joshua Thomas, president of Security Association Singapore, said agencies that have already implemented visitor management systems that read and record full NRIC numbers at their buildings will now have to have the systems tweaked to capture just the last three digits and letter.
Additional costs would be incurred while vendors of these systems would require time to make system changes, he added.
It is worst for buildings without a visitor management system and relied on the retention of NRICs or other identification cards in exchange for a visitor pass. They will have to start from scratch to install the appropriate visitor management systems, Mr Thomas said.
IMDA had previously said small and medium-sized enterprises (SMEs) can apply for the Productivity Solutions Grant to help defray the costs.
The president added the association will help its members to adopt the new measures through its upcoming Comprehensive Guide for Security Agencies, due out this September, as well as its advisory services.
“SAS supports this move,” Mr Thomas said. “Security agencies incur liability when holding on to physical NRICs as well as NRIC data.
“The guidelines will help to ameliorate these issues, and the adoption of technology will be able to help in a big way, and is in line with the security industry’s transformation map.”
One integrated facilities management company, UEMS, which provides services to close to 100 facilities including some public hospitals, said some of its security agencies currently collect or record NRIC numbers of visitors to the facilities.
With the rule changes though, it will be working with its security agencies and clients to review existing processes and see how it can implement the updated rules, the spokesperson told Channel NewsAsia in an email.
“We are exploring possible alternatives like user-generated IDs or organisation-issued QR codes as a replacement to the traditional NRIC collection,” added the spokesperson.
Asked if the one-year transition period will be enough time for the changes, UEMS said it “seems sufficient for now”, a sentiment shared by Mr Thomas of Security Association Singapore.
Mr Adrian Tan, TSMP Law Corporation’s head of Intellectual Property and Technology, Media and Telecom, concurred. He said the one-year period is appropriate given that Singaporeans have been living with this practice for decades.
The lawyer did point out two groups that will have to “move quickly”: People who manage commercial buildings and condominiums, as they have to reorganise the way they identify and record visitors, and businesses who have been using NRIC numbers as an “expedient way to categorise members”.
The latter group will have to think of a better substitute, and email addresses are a “good starting point”, he said.
“I hope these guidelines represent the start of a long-delayed conversation that Singaporeans need to have about data collection. We need to talk about ways to educate Singaporeans about valuing and protecting their personal information,” Mr Tan said.