Security firms, companies raise concerns over new NRIC collection guidelines

SINGAPORE — Security firms have raised concerns over the new guidelines banning organisations from using and collecting National Registration Identity Card (NRIC) numbers from September next year, even as consumers cheer the move.

While some security agencies providing services to private condominiums and commercial buildings already have some measures in place to abide by the new rules, others said it will need some time to tweak work processes.

From Sept 1 next year, organisations will not be allowed to collect, use and disclose NRIC numbers, the Personal Data Protection Commission (PDPC) announced on Friday (Aug 31).

They are also not allowed to make copies of, or retain the physical cards, except under specific circumstances. The new guidelines do not apply to the public sector or critical infrastructure buildings.

All the agencies TODAY spoke with acknowledged that these measures will have some impact on their work.

Some raised issues in terms of balancing the need for maintaining security, and also abiding by the new guidelines.

One alternate measure suggested by the PDPC includes providing the last three numerical digits of a NRIC and checksum. But Ms Manjit Kaur, director of Deep Security Services, noted that this might make it "difficult to trace back" in the event something happens.

Similarly, president of the Association of Certified Security Agencies (ACSA) Robert Wiener, pointed out that without an identity document like the NRIC, it would be a challenge for security guards of private residences, for example, to accurately identify individuals who are suspected of breaking into an apartment or condominium complex.

Noting that it is currently common practice for NRICs to be used in exchange for a building access pass, Reachfield Security and Safety Management's general manager Grace Lim said another issue that could arise is when there is nothing of value to exchange for an access pass, especially in a commercial building.

"How do you make sure the person returns it? What if they run away with it? Then we will have another security issue at hand," Ms Lim said.

Nevertheless, her company has tweaked its visitor management systems about two months ago to omit the NRIC number in its entirety. Ms Lim said the company's system now only shows the visitor's last three digits, and checksum, when an IC is scanned.

Mr Shane Shim, general manager of Westminster Investigation and Security Management, told TODAY that one concern was members of the public "misusing...or misunderstanding the rules", thinking that they do not need to – and refusing to – show their NRIC in any circumstance.

To this end, his company – which provides security services to nine condominiums and about 10 commercial buildings – will be providing additional training for its officers to manage such situations and familiarise them with the new guidelines.

The five security agencies TODAY spoke with said they do not enforce the collection of NRICs, and currently use it to verify identities before returning it to the visitor. Some, like Westminster, would encourage visitors to surrender another non-NRIC photo identification, in exchange for an access pass.

"We don't want a situation where the NRIC goes missing while we retain it - it could be problematic," Mr Shim said.

CONSUMERS CHEER, COMPANIES FEAR

Although consumers who spoke to TODAY said they are unsure how their NRIC numbers could be misused, most agreed it is good practice not to disclose the information without valid reason.

Citing NRIC numbers as something "very personal", Ms Vanessa Lee, 29, said: "You don't know whether it will be used against you."

While there is growing consumer awareness on how personal information could be used by companies, Mr Firdaus Isnin, 32, felt local consumers are still too complacent about data security as many do not bother to "read the fine print". So the new guidelines is "a good start".

Meanwhile, companies cite training and practical challenges as issues that they need to overcome in the lead-up to Sept 1 next year.

Some solutions, such as a visitor management system, are readily available off-the-shelf and would not entail a "huge investment" for security vendors at condominiums, said ACSA's Mr Wiener. However, he noted that training security officers would be critical, to get them to understand the reason for the changes, and what they need to do to comply with the guidelines.

Fashion retailer Decks, which own brands such as the Island Shop and Surfers Paradise, said practical issues, such as how to efficiently identify their customers, will be one of their greatest challenges.

Even though it does not require its customers to provide NRIC numbers when signing up for retail membership with its brands, Decks' managing director Kelvyn Chee said NRIC numbers remain the most efficient way of verifying members because unlike emails and contact numbers, individual NRIC numbers do not change.

Issuing membership numbers is not a practical move since customers will not remember it, Mr Chee said. The new rules mean his staff will have to "spend more time to get their details", he added.

The National Trades Union Congress' chief data protection officer Kwong Yuk Wah said she had hoped there would be a longer lead time to implement the changes. "These changes have wide impact on businesses, organisation and workers," she said, adding that she is looking to PDPC to "step up educational efforts".

Correction: An earlier version of this story got the gender of NTUC's chief data protection officer Kwong Yuk Wah wrong. We apologise for the error.