The Personal Data Protection Commission (PDPC) has issued Guidelines on 31 August 2018 governing the use and collection of NRIC and other identification documents, such as birth certificate, employment passes, work permits and passports (collectively referred to as "NRIC" in this article).
The Guidelines were implemented because the NRIC is a unique identifier of an individual and contains personal data. Indiscriminate or negligent handling of the NRIC increases risk of illegal activities such as identity theft and fraud, and potentially causes harm to the individual.
The Guidelines do not set new law, but merely clarify the legal position under the Personal Data Protection Act (PDPA). As the NRIC contains personal data, the collection, use and disclosure of the NRIC has always been subject to the provisions of the PDPA, which protects personal data.
The Guidelines state that organisations are generally not allowed to:
- collect and keep a physical copy of the NRIC;
- make a copy of the NRIC; and
- collect, use or disclose NRIC numbers.
Organisations may collect, use or disclose an individual's NRIC only where:
- it is required under the law, for example, when seeking medical treatment or when subscribing to a mobile telephone line;
- it is necessary to accurately establish and verify the identity of the individual to a high degree of fidelity, for example, in financial or real estate matters; or
- it falls under an exception under the PDPA, for example, a hotel providing the NRIC number of a guest to a hospital in the situation where the guest has to seek emergency medical attention.
Review of existing practices
The PDPC will enforce the Guidelines from 1 September 2019. Organisations will have to take immediate steps to review its practices and make changes which are necessary to ensure that any existing or proposed collection or use of the NRIC is either permitted under the law or is otherwise justified.
Generally, the PDPC considers that it is necessary to accurately establish or verify the identity of an individual to a high degree of fidelity where failure to accurately identify of the individual would:
- pose a significant safety or security risk, for example, the identity of a visitor entering a preschool has to be verified in order to protect the children;
- pose a significant impact or harm to an individual and/or the organisation, for example the identity of an individual must be verified to prevent fraudulent claims/activity in healthcare, financial or real estate matters.
Many existing practices will have to be relooked, and new procedures will have to be adopted. One example brought up by the PDPC is the collection of the NRIC for the purpose of a job application. There is no law which requires a prospective employer to collect the NRIC number of a job applicant, and the situation is unlikely to be one where it is necessary to establish the identity of the individual to a high degree of fidelity. Organisations may verify the identity of the applicant by merely having sight of the individual's physical NRIC. If necessary, organisations may consider taking down only the partial NRIC number. The PDPC considers that use of the last 4 characters of the NRIC would not be considered to be use of the NRIC.
Organisations have to review their practices and consider whether it is possible to adopt another identifier in place of the NRIC. Such identifiers include:
- the use of partial NRIC numbers instead of the full NRIC number;
- mobile phone numbers;
- email addresses;
- QR codes;
- ·organisation or user generated IDs;
- combination of different identifiers, such as first name + part phone number + date of birth
It would be useful to carry out a Data Protection Impact Assessment to:
- identify whether collection of the NRIC is necessary;
- consider the data flow – where the NRIC resides, and who has excess to the NRIC etc;
- identify and assess risks; and
- create an action plan to either change the current practice, or to continue with the current practice.
The fact that an organisation may have to incur high costs to make changes to IT systems which currently use the NRIC as an identifier is not good justification for not making any changes, as the PDPC has made it clear that it expects changes to be made to IT systems.
If, having done a full assessment, an organisation determines that needs to use NRIC numbers for its purposes, it will need to ensure that it has sufficient physical and technological measures to provide a high level of security to protect the NRIC numbers. Organisations should also regularly review the NRIC numbers (or copies of NRIC) in its possession or control, to determine whether they are still needed. The PDPC has stated in the Guidelines that an organisation should not keep the NRIC number (of copy of the NRIC) "just in case", when it is no longer necessary for the purpose for which they were collected.
Scanning of NRIC
Many organisations scan an NRIC in order to record the NRIC number as this is more accurate and efficient than manually recording the NRIC. In the Technical Guide to Advisory Guidelines on the Personal Data Protection Act for NRIC and other National Identification Numbers (published 31 August 2018), the PDPC states that when organisations scan a NRIC, care must be taken to ensure that complete NRIC numbers are not stored permanently. After scanning, the NRIC number must be converted to a format which only includes a partial NRIC number or a hashed NRIC number. The complete NRIC number should not be used.
How we can help
We help our clients to review their practices and processes, and to develop alternative practices and processes which are in compliance with the relevant laws.
We offer a full suite of services to help organisations comply with data protection laws of Singapore, and those of other countries which apply to them.
Dentons is the world's first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries. www.dentons.com.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.