Collecting NRIC numbers and making copies of ID card will be illegal from September 1, 2019, Singapore News & Top Stories

SINGAPORE – From September 1 next year, it will be illegal for organizations to collect, use or disclose NRIC numbers or make copies of ID card, under more stringent rules set out Friday August 31 by the Commission for the protection of personal data.

For years, places like shopping malls have collected NRIC numbers when registering customers for sweepstakes and memberships or even to track parking refunds.

But the updated rules means that organizations will no longer be allowed to do this.

Organizations that have collected NRIC numbers are also encouraged to assess whether they should keep these numbers, and if not, it is suggested that they dispose of them responsibly and in accordance with lawful disposal methods. on the protection of personal data (PDPA) by next year.

Organizations that decide to keep their collection must ensure adequate protection. They can also choose to anonymize the NRIC. This follows the update of the rules for this collection under the PDPA, which came into full force in July 2014.

“In today’s digital economy, the indiscriminate collection or careless handling of NRIC numbers can increase the risk of unintentional disclosure and may result in the use of NRIC numbers for illegal activities such as identity theft or fraud, “the commission said in a statement released Friday (Aug 31).

He added that such risks arise because the NRIC number is a permanent and irreplaceable identifier.

Companies have also been warned that unless required by law, it will also not be allowed to physically retain an individual’s NRIC from September 1.

Although the law already prohibits the indiscriminate collection of consumers’ personal data and requires organizations to report on the use of the data, privacy advocates have argued that details of the NRIC are still being collected, sometimes for reasons futile. These ranged from booking a movie ticket to renting a bike.

Following public comments, the privacy watchdog proposed updated guidelines which were then submitted for public consultation from November to December of last year, before stricter rules were introduced. are developed.

However, there are exceptions.

NRIC numbers or copies of the NRIC can only be obtained or shared if they are required by law, for example when subscribing to a new phone line, making a doctor’s appointment, or calling a doctor. check-in at a hotel.

Details of the NRIC can also be collected when there is a need to accurately verify the identity of an individual “to a high degree of fidelity”.

This would include visits to preschools or transactions involving health, financial or real estate matters, and when not received it could endanger safety or cause significant damage.

“Where the collection, use and disclosure of physical NRICs or the retention of physical NRICs is permitted, organizations should ensure that adequate safeguards are in place to protect personal data in their possession or under their control. , in accordance with their obligations under the PDPA, ”the commission added.

These updated guidelines do not apply to government or to any agency or public body acting on its behalf.

In response to questions from the Straits Times, a spokesperson for Smart Nation and the Digital Government Office said the government is the issuing authority for the NRIC and is rightfully using it to “carry out its duties. and services with citizens in a secure manner ”.

The spokesperson added: “Nonetheless, the government will review its processes to ensure that public bodies limit the use of NRICs and the retention of physical NRICs to transactions where such use is required by law or is necessary. to establish with precision the identity of the persons. “

Organizations that flout the law can be fined up to $ 1 million.

These updated rules for NRIC numbers also apply to other national identification numbers, such as birth certificate numbers, foreign identification numbers, and work permit numbers.

Although passports are periodically replaced, the commission said organizations should also avoid collecting individuals’ full passport numbers unless justified.

He acknowledged that some organizations collect a partial NRIC number and clarified that details up to the last three numeric digits and the letter of the NRIC would not be considered the full NRIC number.

But he added that those partial numbers are still considered personal data under the law because they could identify a person.

The privacy watchdog reiterated that organizations that collect partial NRICs must always comply with the provisions of the data protection law and must take steps to ensure that such data is secure and not disclosed.

He said it does not prescribe the type of identifiers that organizations can use in place of NRIC numbers, and that organizations are encouraged to evaluate these alternatives based on their own needs.

Some suggested alternatives include an organization or user-generated ID, tracking numbers, or organization-issued QR codes.

The commission said it would, along with the Infocomm Media Development Authority (IMDA), help organizations adapt by publishing a technical guide on replacing the NRIC number with alternative identifiers.

The commission and IMDA will identify pre-approved technology solutions that companies can adopt.

They will also develop review templates that organizations can use to manage customer expectations during this time of transition.