Advomi Logo
Close this search box.

Amendments to the Data Privacy Laws (Personal Data Protection Act 2012) in Singapore

Businesses in Singapore should take note of the updated rules in personal data protection in Singapore in relation to the collection, use, disclosure and retention of national identification numbers (NRIC numbers, birth certificate numbers, Foreign Identification Numbers, Work Permit numbers and Passport Numbers) that will come into effect on 1 September 2019. 

These amendments are especially important to businesses that collect NRIC details from Singaporeans and Permanent Residents for various purposes such as identity verification, verification for participation in lucky draws, loyalty card and membership verification purposes.        

Organisations and businesses should take appropriate measures to review their practice of collecting NRIC numbers for security or marketing purposes.

Accepted collection, use, disclosure or retention

From 1 September 2019, private companies may only collect, use, disclose or retain an individual’s NRIC or national identification numbers

  • if required by the law; or
  • if necessary to prove an individual’s identity to a high degree of fidelity; or
  • if it is reasonable that the individual would voluntarily provide such data and he or she consented to such collection or use or disclosure.

If allowed to collect such numbers, organisations must make reasonable security arrangements to protect NRIC or national identification numbers in its possession or under its control.


Required by Law

For example, it is required by law or necessary to prove your identity when

  • joining an organisation as a new employee;
  • checking into a hotel;
  • seeking treatment at a medical clinic;
  • subscribing to a mobile phone line;
  • enrolling into a private education institution; 
  • receiving massage services as a massage establishment;
  • opening an account or transacting money from a casino

(Source: PDPC website).  

Also, where an exception under the PDPA applies and conduct of the organisation is reasonable, consent is not required for the collection, use or disclosure of NRIC numbers. For instance, in an emergency situation where an individual at a medical center sustains a fall and needs to be admitted to the hospital, disclosure of his or her NRIC and medical allergies is necessary as a response to an emergency that is threatening to his health.

Necessary to prove an individual’s identity to a high degree of fidelity

For example, it is necessary where:

  • failure to accurately identify the individual to a high degree of fidelity may pose a significant safety or security risk. i.e. visitor entry to preschools where ensuring the safety and security of young children is an overriding concern; or
  • where the inability to accurately identify an individual to a degree of fidelity may pose a significant risk of impact or harm to an individual or the organisation (fraudulent claims. Such transactions typically relate to healthcare, financial or real estate matters, such as property transactions, insurance applications and claims, applications and disbursements of substantial financial aid background credit checks with credit bureau, and medical check-ups and reports.

Alternatives to NRIC

Organisation should refrain from collecting, using, disclosing an individual’s NRIC. Instead, they should assess the suitability of alternatives to NRIC numbers based on their operational and business needs. Some alternatives would be user-generated ID, tracking number, organisation-issued QR code or monetary deposit. These alternatives should also be reasonable and organisations should not collect excessive alternative personal data.

Partial NRIC numbers may be appropriate in certain circumstances where other alternatives are not satisfactory.

Inappropriate circumstances to collect, use, disclose or retain NRIC

Organisations should not collect NRIC numbers in circumstances where they

  • give out free parking to consumers who spend a certain amount at their malls
  • ask consumers to sign up for retail memberships
  • request consumers to submit feedback or registering interest in a product or service
  • hold a lucky draw
  • rent a bicycle to a customer


As an example, we would propose that organisations and companies create separate loyalty program with membership cards that have separate identification numbers for customers verification and identification rather than using their NRIC, FIN or Passport number for verification in order to be compliant with the new amendments.    

Unless it is absolutely necessary to accurately establish the identity of the individual, to a high degree of fidelity in order to safeguard the critical information infrastructure within its business, organisations should not collect NRIC numbers of individuals. If necessary, organisations should also be able to provide justification to individuals as to why the collection is an individual’s full NRIC is necessary to address security risks.

More resources

A Tool-box for Singapore’s Updated Cybersecurity Laws

Mahdev Mohan, Shloka Vidyasagar Since its enactment in 2018, the Cybersecurity Act has served as the main statutory framework for safeguarding the nation’s digital infrastructure.…


Tokenisation of real world assets (RWAs)

Introduction Tokenisation of real world assets refers to breaking down high-value properties, whether tangible (such as art pieces) or intangible (such as financial instruments and…


Gambling Control Act

Introduction The Gambling Control Act 2022 (GCA) is a consolidation and update of previous gambling legislation including the Betting Act 1960, the Common Gaming Houses…



Introduction Retrenchment refers to the termination of an employee’s employment due to redundancy, restructuring or for cost saving reasons, as opposed to termination for poor…


Restraint of Trade Clauses in Employment Contracts

When drafting an employment contract, employers often include a restraint of trade clause in order to restrict what an ex-employee may do post-employment. As defined…


Understanding Crypto Fraud, Investigations and Asset Tracing part 3

After exploring the diverse landscape of blockchain and cryptocurrency frauds in our first article, and delving into the array of disputes in our second installment,…