Singapore's data protection watchdog has issued updated guidelines to enhance consumer protection against the indiscriminate collection, use and disclosure of individuals' National Registration Identity Card (NRIC) numbers and retention of physical NRICs.
From 1 September 2019, organisations in Singapore will not be allowed to collect, use or disclose NRIC numbers or copies of the NRIC except under certain specific circumstances. These are: if the collection, use or disclosure is required by the law; or it is necessary to accurately establish or verify an individual’s identity to a high degree of fidelity, said the Personal Data Protection Commission (PDPC) in a statement last week.
As a NRIC number is a permanent and irreplaceable identifier which can be used to unlock large amounts of information relating to an individual, 'indiscriminate collection or negligent handling of NRIC numbers can increase the risk of unintended disclosure and may result in NRIC numbers being used for illegal activities such as identity theft or fraud’, noted the PDPC.
In Singapore, NRIC numbers are used in a wide range of online transactions, and are the gateway to many critical government services available on the Internet, thus putting a significant amount of an individual's personal data at risk should an NRIC number be fraudulently obtained.
The new rules for the NRIC also extends to Birth Certificate numbers, Foreign Identification Numbers and Work Permit numbers. Although Singapore passport numbers are periodically replaced, the PDPC said that organisations should also avoid collecting full passport numbers of individuals unless justified.
Furthermore, an individual’s physical NRIC, or other identification documents containing NRIC numbers or other national identification numbers, can only be retained by an organisation if required by law.
“Where the collection, use and disclosure of NRIC numbers or retention of physical NRICs is permitted, organisations must ensure that adequate protection measures are in place to safeguard the personal data in their possession or under their control, in compliance with their obligations under the Personal Data Protection Act,” said the PDPC.
The PDPC developed the updated guidelines in consultation with consumers and businesses over a six-week period from 7 November 2017 to 18 December 2017. It received strong support for its proposals, it said.
The PDPC said that organisations should assess the suitability of identifiers used in place of NRIC numbers according to their business and operational needs. It also urged them to consider whether the alternatives provided are reasonable, and avoid collecting excessive personal data as alternatives to NRIC numbers.
Recognising that some organisations may require time to review and assistance to implement changes to their practices to comply with the updated guidelines, the Singapore government will render assistance in the transition period by providing guidance with NRIC alternatives and identifying technology solutions for systems such as those involving visitor management and customer relationship management.