More user friendly for PDPC to state upfront when NRIC details are required by law and required for identity verification

I note that the collection of national registration identity card (NRIC) numbers and the making of copies of NRICs will no longer be permitted come 1 September 2019. While this is a laudable move and will no doubt help reduce the incidences of identity fraud, I wonder if it goes far enough? Could it be refined to work better?

According to reports, organisations will be permitted to ask for NRIC numbers if this is required by the law. In practice though, how will we ever know when it would be required by law? What is to stop an organisation from misrepresenting that something is required by law when it isn’t and how will we be the wiser?

In the guidelines issued by the Personal Data Protection Commission (PDPC), we are told to check if we are required by law to divulge our NRIC details. But how do we check? Do we just ask the company in question and take their answers at face value? Will companies who wrongfully collect NRIC data after 1 September 2019 be held to account and punished? Will there be a website we can verify this with or perhaps a hotline we can call?

Secondly, we are told to provide our NRIC numbers if it becomes necessary to prove our identity. However, when will such a scenario actually arise? Can’t we prove our identities in other ways? Driving licenses perhaps? Perhaps, guidelines should also be issued on scenarios when NRICs are required to be provided to prove our identities.

These new rules are well intentioned. The devil, however, is in the detail. For it to be effective, it needs to be easy to use and relate to. If we aren’t told the scenarios when it would be legally required to provide NRIC details, we would be none the wiser. We would just provide them whenever we are asked to and take the company asking for the information at face value. If we are not told the scenarios where our NRIC details are required for identify verification purposes, we would again simply provide them when asked.

Providing examples of when NRIC details are not required as is done in the current guidelines is helpful but only to a certain extent. Fraudsters would always be on the lookout to look for loopholes. To what extent has PDPC considered these issues? It might be more user friendly for the PDPC to state upfront when NRIC details are required by law and when these are required for identity verification.