Sign Up today and get $100 credits for your legal need.

Amendments to the Data Privacy Laws (Personal Data Protection Act 2012) in Singapore

By Kenneth Pereire | | Category: Data Privacy

Businesses in Singapore should take note of the updated rules in personal data protection in Singapore in relation to the collection, use, disclosure and retention of national identification numbers (NRIC numbers, birth certificate numbers, Foreign Identification Numbers, Work Permit numbers and Passport Numbers) that will come into effect on 1 September 2019. 

These amendments are especially important to businesses that collect NRIC details from Singaporeans and Permanent Residents for various purposes such as identity verification, verification for participation in lucky draws, loyalty card and membership verification purposes.        

Organisations and businesses should take appropriate measures to review their practice of collecting NRIC numbers for security or marketing purposes.

Accepted collection, use, disclosure or retention

From 1 September 2019, private companies may only collect, use, disclose or retain an individual’s NRIC or national identification numbers

  • if required by the law; or
  • if necessary to prove an individual’s identity to a high degree of fidelity; or
  • if it is reasonable that the individual would voluntarily provide such data and he or she consented to such collection or use or disclosure.

If allowed to collect such numbers, organisations must make reasonable security arrangements to protect NRIC or national identification numbers in its possession or under its control.

Required by Law

For example, it is required by law or necessary to prove your identity when

  • joining an organisation as a new employee;
  • checking into a hotel;
  • seeking treatment at a medical clinic;
  • subscribing to a mobile phone line;
  • enrolling into a private education institution; 
  • receiving massage services as a massage establishment;
  • opening an account or transacting money from a casino

(Source: PDPC website).  

Also, where an exception under the PDPA applies and conduct of the organisation is reasonable, consent is not required for the collection, use or disclosure of NRIC numbers. For instance, in an emergency situation where an individual at a medical center sustains a fall and needs to be admitted to the hospital, disclosure of his or her NRIC and medical allergies is necessary as a response to an emergency that is threatening to his health.

Necessary to prove an individual’s identity to a high degree of fidelity

For example, it is necessary where:

  • failure to accurately identify the individual to a high degree of fidelity may pose a significant safety or security risk. i.e. visitor entry to preschools where ensuring the safety and security of young children is an overriding concern; or
  • where the inability to accurately identify an individual to a degree of fidelity may pose a significant risk of impact or harm to an individual or the organisation (fraudulent claims. Such transactions typically relate to healthcare, financial or real estate matters, such as property transactions, insurance applications and claims, applications and disbursements of substantial financial aid background credit checks with credit bureau, and medical check-ups and reports.

Alternatives to NRIC

Organisation should refrain from collecting, using, disclosing an individual’s NRIC. Instead, they should assess the suitability of alternatives to NRIC numbers based on their operational and business needs. Some alternatives would be user-generated ID, tracking number, organisation-issued QR code or monetary deposit. These alternatives should also be reasonable and organisations should not collect excessive alternative personal data.

Partial NRIC numbers may be appropriate in certain circumstances where other alternatives are not satisfactory.

Inappropriate circumstances to collect, use, disclose or retain NRIC

Organisations should not collect NRIC numbers in circumstances where they

  • give out free parking to consumers who spend a certain amount at their malls
  • ask consumers to sign up for retail memberships
  • request consumers to submit feedback or registering interest in a product or service
  • hold a lucky draw
  • rent a bicycle to a customer

Conclusions

As an example, we would propose that organisations and companies create separate loyalty program with membership cards that have separate identification numbers for customers verification and identification rather than using their NRIC, FIN or Passport number for verification in order to be compliant with the new amendments.    

Unless it is absolutely necessary to accurately establish the identity of the individual, to a high degree of fidelity in order to safeguard the critical information infrastructure within its business, organisations should not collect NRIC numbers of individuals. If necessary, organisations should also be able to provide justification to individuals as to why the collection is an individual’s full NRIC is necessary to address security risks.

Need help with PDPA and Data privacy? See our services.
You have a question? Submit it here and lawyers will get back to you.

Kenneth Pereire

Kenneth Pereire is an attorney at law, managing partner at KGP Legal LLC. The law firm specializes in corporate & commercial law, financial services regulations, technology & startup law, etc. Kenneth has been a Singapore lawyer since 2011 and has been practicing since.

Related Services

PDPA Policy for Your Website оf Mobile App in 3 Days PDPA Policy for Your Website оf Mobile App in 3 Days
PDPA Policy for Your Website оf Mobile App in 3 Days
fixed Rate S$ 500.00
Data Protection Regulatory Compliance Services (PDPA, GDPR, etc.) Data Protection Regulatory Compliance Services (PDPA, GDPR, etc.)
Data Protection Regulatory Compliance Services (PDPA, GDPR, etc.)
fixed Rate S$ 3,500.00
Privacy Policy for your Website Compliant with GDPR and PDPA Privacy Policy for your Website Compliant with GDPR and PDPA
Privacy Policy for your Website Compliant with GDPR and PDPA
fixed Rate S$ 1,200.00
PDPA Compliance for Singapore Businesses PDPA Compliance for Singapore Businesses
PDPA Compliance for Singapore Businesses
fixed Rate S$ 3,500.00
PDPA Compliance for Small & Medium Enterprises PDPA Compliance for Small & Medium Enterprises
PDPA Compliance for Small & Medium Enterprises
fixed Rate S$ 3,500.00
Privacy Policy for your Website in Cimpliance with Singapore Data Protection Regulations Privacy Policy for your Website in Cimpliance with Singapore Data Protection Regulations
Privacy Policy for your Website in Cimpliance with Singapore...
fixed Rate S$ 1,200.00
GDPR (Data Protection) Compliance Services for Your Business GDPR (Data Protection) Compliance Services for Your Business
GDPR (Data Protection) Compliance Services for Your Business
fixed Rate S$ 3,000.00
Consent Declaration for Users or Clients Compliant with the PDPA Consent Declaration for Users or Clients Compliant with the PDPA
Consent Declaration for Users or Clients Compliant with the PDPA
fixed Rate S$ 100.00

Services by Kenneth Pereire

Always communicate through Advomi. To protect your payment, never transfer money or communicate outside of the Advomi website. Learn more.