SINGAPORE: Organisations in Singapore will have to stop the practice of indiscriminate collection of people’s NRIC details from Sep 1 next year.
The Personal Data Protection Commission (PDPC) on Friday (Aug 31) issued its enhanced advisory guidelines following the close of the public consultation last December.
It said that under the updated guidelines, organisations can collect, use or disclose NRIC numbers or copies of the NRIC only under certain specific circumstances.
First, if they are required by the law or deemed necessary to accurately verify one’s identity to a “high degree of fidelity”, the PDPC said in its press release.
For example, a telco will continue to be allowed to keep a record or scanned copy of subscribers’ NRICs, as it is legally required to maintain a register of customers, the agency explained.
The second exception is when failing to provide NRIC details could pose a significant safety or security risk, or may pose a risk of significant impact or harm to an individual and the organisation, it added.
These could be transactions relating to healthcare or real estate matters like insurance applications and claims.
Another example of this exception would be when stores that sell cigarettes have to ask consumers for their NRIC to verify that they meet the minimum legal age for buying the product, PDPC said.
It did add that organisations should be able to justify why they are collecting NRIC numbers when asked by individuals or the PDPC.
“The NRIC number is a permanent and irreplaceable identifier which can be used to unlock large amounts of information relating to an individual,” the data privacy watchdog said.
“In today’s digital economy, indiscriminate collection or negligent handling of NRIC numbers can increase the risk of unintended disclosure and may result in NRIC numbers being used for illegal activities such as identity theft or fraud.”
This same treatment applies to birth certificate numbers, foreign identification numbers and work permit numbers. As for passport numbers, even though they are periodically changed, organisations should avoid collecting the full numbers unless justified, it said.
The updated guidelines do not apply to a public agency or an organisation acting on its behalf though.
A Smart Nation and Digital Government Office (SNDGO) spokesperson told Channel NewsAsia that the Government, as the issuing authority for the NRIC, “rightfully uses the NRIC to discharge its functions and services with citizens in a secure manner”.
It will review its processes to ensure public agencies limit the use of NRIC numbers, and the retention of physical NRICs, to transactions where such use is required by law or is necessary to accurately establish people’s identities, the spokesperson said.
“As we improve the use of data to serve citizens and businesses, the Government will ensure that our data protection measures continue to be on par, if not better, than best practices in the private sector,” added the spokesperson.
MAKING THE CHANGE
To help ease the transition for organisations here, especially for smaller businesses, PDPC said it will work with the Info-communications Media Development Authority (IMDA) to do the following:
- Publish a technical guide that would provide organisations with information on how they can replace NRIC numbers with alternative identifiers for websites and public-facing computer systems
- Identify pre-approved technology solutions for them to adopt
- Develop template notices that organisations can use to manage customer expectations during the transition period
As alternatives to NRIC numbers organisations could allow users to create their own user ID, email addresses or tracking numbers in verifying their identities, PDPC said.
Other examples could be the use of mobile phone numbers or the use of parts of the NRIC, like the last three digits and the last letter.
There are 22 pre-approved technology solutions identified for organisations to turn to as they embark on the necessary changes.
For companies worried about the financial outlay of adopting these solutions, IMDA said they can apply for the Productivity Solutions Grant to help defray the costs.
And there are business benefits to be reaped for companies who view this requirement as a competitive advantage, rather than a compliance cost.
Mr Yeong Zee Kin, deputy commissioner at PDPC, said: "If there's no need to hang on to NRIC data, then keeping it actually introduces additional risk” as he warned that the data could potentially be hacked and the organisations liable for any leaked information.
The directive for organisations to dispose of NRIC numbers they have collected "is actually the trickiest directive to implement", said Mr Adrian Tan, head of Intellectual Property and Technology, Media and Telecom at TSMP Law Corporation.
"The whole point of data collection is that data, once collected, lives forever, somewhere, somehow," Mr Tan explained.
"Data is stored and backed up off-site. So, while there is a lot of technology to protect and store data, there is a lot less technology to ensure that data has been completely and thoroughly scrubbed away from the cloud and from everywhere else."
Beyond the updated guidelines, PDPC said a mindset change is needed to better safeguard personal data.
"Old practices introduced back in the pen-and-paper days needs to be revised ... to be more sophisticated and digitally secure,” Mr Yeong explained.
He also said it’s not just organisations that need to change, but consumers too.
Responding to an example brought up by Channel NewsAsia about contests found on AXS machines requiring people to sign up using their NRIC numbers to stand a chance to win a car, Mr Yeong said: “Consumers also need to ask if they want to give such data for a chance to win a car.”
“All parties need to play a part,” he added.
TSMP's Tan agreed, saying that as the Government rolls out the next-generation digital identity system, NRIC will have far more information on it.
"We cannot carry on with old practices and need to start treating our ICs with more respect".