Businesses in Singapore should take note of the updated rules in personal data protection in Singapore in relation to the collection, use, disclosure and retention of national identification numbers (NRIC numbers, birth certificate numbers, Foreign Identification Numbers, Work Permit numbers and Passport Numbers) that will come into effect on 1 September 2019.
These amendments are especially important to businesses that collect NRIC details from Singaporeans and Permanent Residents for various purposes such as identity verification, verification for participation in lucky draws, loyalty card and membership verification purposes.
Organisations and businesses should take appropriate measures to review their practice of collecting NRIC numbers for security or marketing purposes.
Accepted collection, use, disclosure or retention
From 1 September 2019, private companies may only collect, use, disclose or retain an individual’s NRIC or national identification numbers
- if required by the law; or
- if necessary to prove an individual’s identity to a high degree of fidelity; or
- if it is reasonable that the individual would voluntarily provide such data and he or she consented to such collection or use or disclosure.
If allowed to collect such numbers, organisations must make reasonable security arrangements to protect NRIC or national identification numbers in its possession or under its control.
Required by Law
For example, it is required by law or necessary to prove your identity when
- joining an organisation as a new employee;
- checking into a hotel;
- seeking treatment at a medical clinic;
- subscribing to a mobile phone line;
- enrolling into a private education institution;
- receiving massage services as a massage establishment;
- opening an account or transacting money from a casino
(Source: PDPC website).
Also, where an exception under the PDPA applies and conduct of the organisation is reasonable, consent is not required for the collection, use or disclosure of NRIC numbers. For instance, in an emergency situation where an individual at a medical center sustains a fall and needs to be admitted to the hospital, disclosure of his or her NRIC and medical allergies is necessary as a response to an emergency that is threatening to his health.
Necessary to prove an individual’s identity to a high degree of fidelity
For example, it is necessary where:
- failure to accurately identify the individual to a high degree of fidelity may pose a significant safety or security risk. i.e. visitor entry to preschools where ensuring the safety and security of young children is an overriding concern; or
- where the inability to accurately identify an individual to a degree of fidelity may pose a significant risk of impact or harm to an individual or the organisation (fraudulent claims. Such transactions typically relate to healthcare, financial or real estate matters, such as property transactions, insurance applications and claims, applications and disbursements of substantial financial aid background credit checks with credit bureau, and medical check-ups and reports.
Alternatives to NRIC
Organisation should refrain from collecting, using, disclosing an individual’s NRIC. Instead, they should assess the suitability of alternatives to NRIC numbers based on their operational and business needs. Some alternatives would be user-generated ID, tracking number, organisation-issued QR code or monetary deposit. These alternatives should also be reasonable and organisations should not collect excessive alternative personal data.
Partial NRIC numbers may be appropriate in certain circumstances where other alternatives are not satisfactory.
Inappropriate circumstances to collect, use, disclose or retain NRIC
Organisations should not collect NRIC numbers in circumstances where they
- give out free parking to consumers who spend a certain amount at their malls
- ask consumers to sign up for retail memberships
- request consumers to submit feedback or registering interest in a product or service
- hold a lucky draw
- rent a bicycle to a customer
As an example, we would propose that organisations and companies create separate loyalty program with membership cards that have separate identification numbers for customers verification and identification rather than using their NRIC, FIN or Passport number for verification in order to be compliant with the new amendments.
Unless it is absolutely necessary to accurately establish the identity of the individual, to a high degree of fidelity in order to safeguard the critical information infrastructure within its business, organisations should not collect NRIC numbers of individuals. If necessary, organisations should also be able to provide justification to individuals as to why the collection is an individual’s full NRIC is necessary to address security risks.
Want to learn more about data protection regulation in Singapore? Check out these useful articles:
- What is GDPR?
- How Does the GDPR Compare To the Singapore PDPA?
- How to Apply GDPR in Your Business in Singapore?
- How Did the Different Companies in the EU Implement the New Data Protection Regulation?
- How Did the GDPR Compliance Evolved Since May 2019?
- How Will the Data Protection Rules Evolve in The Near Future?
- Personal Data Protection Act (PDPA) Part 1
- Personal Data Protection Act (PDPA) Article 1B
- Amendments to the Data Privacy Laws (Personal Data Protection Act 2012) in Singapore