Singapore’s Personal Data Protection Commission (“PDPC“) is seeking public feedback on its proposal to revise its Advisory Guidelines relating to the collection, use and disclosure of NRIC numbers (the “Revised Advisory Guidelines“).
The Revised Advisory Guidelines address the following issues: (i) whether organisations may collect, use or disclose individuals’ NRIC numbers or a copy of their NRIC, or retain their physical NRIC; and (ii) other Data Protection provisions which may apply in respect of the collection, use or disclosure of NRIC numbers or copy of the NRIC, or the retention of the physical NRIC.
Significantly, the Revised Advisory Guidelines provide that in general, organisations should not collect, use or disclose an individual’s NRIC number or a copy of the NRIC, except in the following circumstances:
(a) collection, use or disclosure of the NRIC number or copy of the NRIC is required under the law (e.g. under regulation 27(1)(b) of the Hotels Licensing Regulations, hotels must require every guest seeking accommodation in the hotel to furnish the particulars of any identity card, passport or other travel document held by the guest); or
(b) collection, use or disclosure of the NRIC number or copy of the NRIC is necessary to accurately establish and verify the identity of the individual (e.g. collection of NRIC numbers for entry into secured building).
The PDPC does not prescribe the types of identifiers that organisations should adopt as alternative to NRIC numbers or copy of the NRIC. Instead, organisations should assess the suitability of alternatives based on their own business and operational needs (e.g. ID / passwords, or QR codes).
The Revised Advisory Guidelines also clarify that where an organisation retains an individual’s physical NRIC or copy of the NRIC, the organisation is considered to have collected all the personal data on the physical NRIC, and is subject to the Data Protection Provisions of the PDPA in respect of that collection. The organisation should assess whether it is collecting excessive personal data contained in the NRIC for the purpose.
In certain circumstances, an organisation may merely have sight of an individual’s physical NRIC and the information on it for verification purposes. The PDPC may consider that there was no intention to obtain control or possession of the physical NRIC in these circumstances and hence may not consider it a collection or retention of personal data on the physical NRIC.
Other obligations that are relevant in respect of the collection, use and disclosure of NRIC number include the Openness, Protection, and Retention Limitation Obligations as well as other Data Protection Provisions that organisations are required to comply with.
The PDPC is proposing to allow organisations a period of up to 12 months from the issuance of the Revised Advisory Guidelines, to review and implement the necessary changes to its practices and processes involving the collection, use or disclosure of NRIC numbers, physical NRIC or copies of the NRIC
The consultation period ends on 18 December 2017.