Amendments made by the Personal Data Protection Commission (PDPC) to rules regarding National Registration Identity Cards (NRIC) will prohibit organisations from collecting, using, or disclosing their customers’ NRIC and other national identification numbers except in cases where it is required by law to do so, or if the situation necessitates full identification such as in cases of medical emergency.
In a press release yesterday (31 Aug), the PDPC announced that the new rules will be implemented to “enhance consumer protection”.
The PDPC has released advisory guidelines to “enhance consumer protection against indiscriminate and unjustified collection, use and disclosure of individuals’ NRIC numbers and retention of physical NRICs”.
The same guidelines will apply to “Birth Certificate numbers, Foreign Identity Numbers and Work Permit numbers”.
Customers can now choose to not provide their national identification upon purchasing movie tickets online, when signing up for retail membership, upon redemption of free parking, and even when entering secured buildings such as condominiums, where they can provide their partial NRIC numbers, up to the last three digits and checksum, and even so, organisations are required to comply with the Act’s Data Protection Provisions, in that the data must be reasonably secured and remain undisclosed.
PDPC suggested using alternative identifiers such as user-generated IDs, tracking numbers or organisation-issued QR codes.
In most cases, consumers may instead provide mobile phone numbers, email addresses, or other forms of identification.
However, the public sector is exempt from the new guidelines.
Situations in which the failure to properly identify an individual might result in significant harm, such as entering the premises of preschools and critical infrastructure buildings, are also exempt from the new guidelines.
To illustrate, members of the public are required to provide their national identification upon checking into a hotel, subscribing to a telephone line, attending a doctor’s appointment, and upon being hired at a new workplace.
Organisations that have collected NRIC numbers are urged to re-evaluate their need to continue storing the numbers. Should they not find any need to do so, organisations should dispose of the information responsibly and in line with disposal methods outlined by PDPC.
Should organisations choose to keep the national identification numbers in their records, they must take precautions to ensure there is sufficient protection of the data, and are even encouraged to anonymise the data.
The PDPC has issued a Technical Guide to complement the NRIC Advisory Guidelines, which will provide organisations with methods to replace national identification with other identifiers in their websites and other public frontline computer systems.
Organisations that fail to abide by the new guidelines by the stipulated date of enforcement will be deemed to have breached the Personal Data Protection Act (PDPA) and may be subjected to penalties as laid out in the Act, which may include a fine of up to S$1 million.
