From 1 September 2019, the Personal Data Protection Commission of Singapore (“the PDPC”) has said that, as a starting point, organisations should not collect, use or disclose an individual’s NRIC number, as well as the retention of physical NRICs, except when:-
The same considerations will apply to: –
All references to NRIC numbers and physical NRICs in this guide shall apply equally to the other identification numbers and documents.
As a starting point, the PDPC has set out a non-exhaustive list of all common scenarios where private sector organisations may be required to collect an individual’s NRIC or other national identification number under the law. The list, including the links, below are updated as at 27 August 2019
The PDPC generally considers it necessary to accurately establish or verify the identities of individuals to a high degree of fidelity in the following scenarios: –
However, these are merely illustrative examples, and the categories are non-exhaustive. The organisation must be able to justify the need for identification to a high degree of fidelity.
Even if there is justification to collect the NRIC number, the other provisions relating to the notification of purpose, and the obtaining of consent, and the use and disclosure to be consistent with the notified purposes under the PDPA must be complied with, subject to the exceptions in the PDPA.
Where possible, the organisation should consider using alternative or replacement identifiers. The PDPC has given some guidelines for choosing a replacement identifier instead of NRIC Numbers: –
Organisations are encouraged to use replacement identifiers for their own purposes. NRIC numbers that are collected should only be used and or disclosed as required by law or where required to identify the individual to a high degree of fidelity.
The increased risks of misuse of NRIC numbers means that organisations are expected to provide a greater level of security and protection of NRIC numbers. This is consistent with the obligation to provide reasonable security arrangements under the PDPA. Similarly, organisations should remove NRIC numbers from their records once the purposes for which the NRIC numbers has been fulfilled, and that retention is no longer necessary for their business or legal purposes.
Our Intellectual Property and Technology team advises clients from start-ups to multinationals on the full range of data protection issues from the collection, use and processing of data for commercial purposes to the secure storage of data from unauthorised access. We focus on risk management solutions by providing practical insights into the practices. To find out more, please reach out to Partner, Rizwi Wun.
Download the PDF copy here.