Singapore issues new data protection guidelines to curb usage of identification numbers
Published on 31st Aug 2018
Earlier today on 31 August 2018, Singapore's privacy regulator, the Personal Data Protection Commission (PDPC), issued guidelines relating to the use of personal identification numbers. Commonly known as NRIC (National Registration Identification Card) numbers, they are unique identifiers assigned by the Singapore Government to each Singapore citizen and Permanent Resident. They comprise personal data under the meaning of the Singapore Personal Data Protection Act 2012.
NRIC numbers are often used as a required field of information during Government-related transactions. Many companies in Singapore also routinely ask for NRIC numbers when transacting with individuals, whether asking for physical NRICs, soft copies of NRICs or NRIC numbers.
The guidelines have been titled the "Advisory Guidelines on the Personal Data Protection Act for NRIC and Other National Identification Numbers" (the Guidelines for NRIC Numbers). This comes about 10 months after the PDPC issued its public consultation paper on the Proposed Advisory Guidelines on the Personal Data Protection Act for NRIC Numbers in November 2017.
Here are 7 things that organisations handling individuals' NRIC numbers should know from the Guidelines for NRIC Numbers:
1. Organisations will not be allowed to collect, use or disclose NRIC numbers except in specified circumstances
These are when collection use or disclosure of NRIC numbers are:
- required under the law; or
- necessary to accurately establish or verify identities to a high degree of fidelity.
We discuss these two specified circumstances below.
2. Organisations may collect, use or disclose NRIC numbers when required under the law
There are some specific laws or regulations that require certain organisations to collect NRIC numbers or copies of NRICs. Generally, such requirements are necessary to verify identity for the provision of services. Examples include the following:
- Employers may collect employees' NRIC numbers for record-keeping purposes.
- Telecommunications companies providing mobile phone services may collect customers' NRIC numbers and keep a copy of the NRIC as evidence of identity.
- Hotels must collect NRIC numbers upon check-in as a record of identity.
- Healthcare institutions may collect NRICs and may ask to review the NRICs for verification purposes.
3. Organisations may collect, use or disclose NRIC numbers to accurately establish or verify identities of the individuals to a high degree of fidelity
The Guidelines for NRIC Numbers provide that where an organisation finds it necessary to accurately establish or verify the identity of individuals to a high degree of fidelity, it may collect, use or disclose his or their NRIC numbers. However, there must be adequate notification and consent.
Situations that may warrant the application of this exception include the following:
- Where failure to accurately identify an individual may pose a significant safety or security risk.
- Where the inability to accurately identify an individual may pose a risk of significant impact of harm to others.
- Where there are no viable alternatives to verifying age to comply with the law.
Examples provided by the PDPC include:
- Visitors attempting to enter preschools, where ensuring the safety and security of the students is an overriding concern.
- Situations where there is a risk of fraudulent claims leading to financial loss, such as property transactions, insurance applications and claims, applications and disbursements of financial aid, and background credit checks with credit bureaux.
- The selling of tobacco.
Organisations in these circumstances should cease to retain such data when it is no longer necessary to keep them for the legal or business purposes for which it was collected.
4. Organisations should drop the practice of collecting the physical NRIC where possible
Although access to highly secured premises (for example, data centres) may include exchanging one’s physical NRIC for a visitor badge, such a practice is not mandated by law. As an alternative, an organisation may consider selecting a single point of exit for visitors to return their visitor badges before leaving.
5. Organisations should consider using alternatives to NRIC numbers as a field of identification
Organisations are encouraged to assess the suitability of collecting alternatives to NRIC numbers based on their business and operational needs. These alternatives include user-generated IDs, tracking numbers, organisation-issued QR codes, monetary deposits or partial NRIC numbers.
Organisations may consider other methods of verifying identity. These include:
- Checking vehicle or mobile phone numbers.
- Booking references, tracking numbers or SMS confirmations.
- Adopting visitor management systems instead of open physical visitor log books.
6. If other alternatives to NRIC numbers as a field of identification are not viable, partial NRIC numbers may be considered
In the Guidelines for NRIC Numbers, the PDPC also addressed the use of partial NRIC numbers for the purposes of verification. Typically, partial NRICs comprise the last 3 numerical digits of the NRIC numbers or the checksum (e.g. “567A” from the full NRIC number of “S1234567A”).
Partial NRIC numbers are considered personal data to the extent that an individual may be identified from the partial NRIC number, or from the number and other information to which the organization has or is likely to have access.
The Guidelines for NRIC Numbers suggest that partial NRIC numbers should only be considered if other alternatives to full NRIC numbers are not viable for the relevant legitimate purposes.
7. Organisations have until 1 September 2019 to implement necessary changes
Organisations are encouraged to review and implement necessary changes to their existing business practices before the deadline of 1 September 2019, the date from which the PDPC would be enforcing the Guidelines for NRIC Numbers.