SINGAPORE: Singapore's privacy watchdog the Personal Data Protection Commission (PDPC) has proposed changes to guidelines on how companies handle individuals' NRIC numbers, collects the physical NRIC or a copy of it.
In revising the advisory guidelines, PDPC said in a press release on Tuesday (Nov 7) it had taken into consideration current industry practices, as well as feedback from individuals on the handling of their NRIC numbers.
"The NRIC number is a unique identifier assigned by the Government to each Singapore resident that is often used as a required document or identifier for transactions with the Government, as well as certain commercial transactions," PDPC said.
"As the NRIC number is a permanent and irreplaceable identifier which can be used to unlock large amounts of information relating to the individual, the indiscriminate collection and use of individuals’ NRIC numbers is of special concern as it increases the risk that the NRIC numbers may be obtained and used for illegal activities such as identity theft and fraud," it added.
The collection of an individual’s physical NRIC, or a copy of it, is also of concern, PDPC said.
"The physical NRIC not only contains the individual’s NRIC number, but also other personal data, such as the individual’s full name, photograph, thumbprint and residential address," it added.
NRIC STILL REQUIRED FOR MOBILE SUBSCRIPTION, CHECKING INTO HOTELS
In general, PDPC said organisations should not collect, use or disclose an individual’s NRIC number or a copy of the NRIC, except when it is required under the law or when it is necessary to verify the identity of the individual.
These situations include when seeking medical treatment at a clinic, enrolling children into childcare centres, checking into a hotel and subscribing to a mobile telephone line, or when entering into high-value contracts such as property transactions and applying for insurance.
Scenarios where the collection, use or disclosure of NRIC numbers or a copy of the NRIC is not required under any law include the redemption of free parking, online purchase of movie tickets as well as when signing up for retail memberships and lucky draws.
Organisations also should not retain an individual’s physical NRIC unless required under the law, or where it is necessary to accurately establish and verify the identity of the individual.
"To be clear, even if an organisation temporarily retains an individual’s physical NRIC (eg as collateral) without recording any personal data contained in the NRIC, PDPC generally considers the organisation to have collected all the personal data in the NRIC, for the duration the physical NRIC is in the possession or under the control of the organisation," PDPC said.
Hence, organisations are to comply with the obligations under the Personal Data Protection Act, such as to make reasonable security arrangements to protect the personal data from unauthorised disclosure, it added.
Instances listed by the commission where organisations should not retain an individual's NRIC include when renting a bicycle or when issuing visitor badges for buildings.
In certain circumstances, an organisation may merely have sight of an individual’s physical NRIC and the information on it for verification purposes, the commission added. This includes the checking of NRICs for the sale of cigarette to verify the customer's age.
ORGANISATIONS ALLOWED 12 MONTHS TO IMPLEMENT CHANGES
PDPC has proposed a period of up to 12 months from the issuance of the revised guidelines for organisations to adopt alternatives in place of collecting NRICs or NRIC numbers.
Organisations should consider using alternatives such as organisation or user-generated IDs or passwords, tracking numbers, QR codes, or monetary deposit, PDPC said.
A public consultation has been launched to solicit feedback on the proposed guidelines, and whether there are "additional issues or common scenarios" that the guidelines should address.
Those who wish to give feedback can do so by Dec 18 at 5pm via email to email@example.com.
Details of the consultation paper and submission procedures are available on the PDPC website.