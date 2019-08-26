There are new rules regarding the collection of Singaporeans’ NRIC numbers. Organisations who fail to meet the new guidelines could face up to S$1 million in penalties. The Straits Times

With new rules on the collection of personal data set to kick in on Sunday (September 1), the Personal Data Protection Commission (PDPC) has issued a reminder to organisations about the collection, use, keeping and disclosing of National Registration Identity Card (NRIC) numbers in Singapore.

First announced in August last year, organisations have been given a year to prepare for the updated NRIC Advisory Guidelines.

In a statement, the PDPC said that there was a need to reduce “indiscriminate or unjustified collection and negligent handling” of NRIC numbers, especially since they can be used to retrieve people’s individual and private data.

Instead of using NRIC numbers to identify individuals, PDPC said organisations must now use alternative identifiers, but must also “avoid excessively collecting other personal data as substitutes to NRIC numbers”.

Security measures such as password protection and two-factor authentication are also recommended.

In Singapore, organisations may also utilise the SG-Verify service, which is an in-built feature of SingPass Mobile that enables faster identity verification checks and secure data transfer through QR Code scanning.

If you’re unsure about when to provide your NRIC, here’s a quick guide on what the new privacy guidelines say about organisations collecting and using your various identification numbers.

When can an organisation ask for your NRIC?

Under the updated NRICAG, private sector organisations are not allowed to collect, use or disclose NRIC numbers or copies of the NRIC unless:

The collection, use or disclosure is required by the law; or

It is necessary to establish or verify an individual’s identity to a high degree of accuracy.

This also applies to Birth Certificate numbers, Foreign Identification Numbers and Work Permit numbers, PDPC said.

Also, while passport numbers are periodically replaced, organisations “should avoid collecting the full passport numbers of individuals unless justified as well”, it added.

Even your physical NRIC and other identification documents that contain these national identification numbers should not be retained by organisations unless it is required by law.

However, an organisation may check your physical NRIC, Foreign Identity card or passport if it needs to verify your particulars.

Under the Personal Data Protection Act (PDPA), organisations that are allowed to collect, use and disclose NRIC numbers or retain identification documents must “ensure that adequate security protection measures are in place to safeguard the personal data in their possession or under their control”, the commission said in its statement.

A list of all the relevant legislations – such as the Casino Control Act, Employment Act, Road Traffic Act, among others – requiring the collection of NRIC numbers can also be found at www.pdpc.gov.sg/NRIC-Extracts.

What if you are entering a private building or property?

According to the PDPC, when a member of the public enters a commercial or residential building, the management is allowed to request to see their physical NRIC/driving licence/work permit/passport to verify their identity.

The security officers may also record personal data such as the visitor’s name, mobile number and only partial NRIC/FIN numbers.

However, you should not be asked to provide your identification number in full. There is also no need to handover your ID documents in exchange for a visitor pass.

How do organisations find out if they are breaking the rules?

The PDPC and the Infocomm Media Development Authority (IMDA) have developed some resources to help organisations determine what they can and cannot do when it comes to NRIC collection.

These resources include:

A technical guide on how organisations can replace NRIC collection with alternative identifiers or use SG-Verify;

Pre-approved solutions available on the SME Portal’s Tech Depot for functions such as visitor management, point of sales and customer relationship management; and

New template notices which commercial and residential buildings can put up for visitor management.

A list of Frequently Asked Questions can also be found at www.pdpc.gov.sg/NRIC-faqs.

