On 31 August 2018, the Personal Data Protection Commission ("PDPC") issued an Advisory Guideline on the Personal Data Protection Act for NRIC and Other National Identification Numbers ("Guidelines").
The Guidelines provide more comprehensive advice on the collection, use and disclosure of National Registration Identification Card or "NRIC" numbers and include stricter controls over their usage. In addition, other national identification numbers (e.g. birth certificate numbers, foreign identification numbers and work permit numbers) and passport numbers will also be accorded the same treatment as NRIC numbers under the Guidelines.
The NRIC number is a unique identifier assigned by the Singapore Government to each lawful resident of Singapore above the age of 15 years. As each NRIC number is permanent and irreplaceable, it is generally considered as more sensitive personal data and therefore requires a higher level of protection. Apart from the NRIC number, the physical NRIC also contains several other key personal data, such as the individual's full name, address and photograph. Hence, improper handling of an individual's NRIC or NRIC number increases the risks of such data being used for illegal purposes such as fraud or identity theft.
Collection, use or disclosure of NRIC numbers
Under the Guidelines, an organisation is generally prohibited from collecting, using or disclosing an individual's NRIC number or a copy of the NRIC unless:
(i) the collection, use or disclosure of the NRIC number or copy of the NRIC is required by law (or an exception under the PDPA applies); or
(ii) the collection, use or disclosure of the NRIC number or copy of the NRIC is necessary to accurately establish or verify the identity of the individual to a high degree of certainty.
In relation to (i), the consent of the individual is not required if such collection, use, or disclosure is required under other legislation. Examples of such situations include guests checking into hotels, customers subscribing for mobile services, or patients seeking medical treatment at a healthcare institution. However, organisations are still advised to notify the individual of the purpose for such collection, use or disclosure and ensure adequate security arrangements for the collected data.
In addition, consent is also not required where an exception under the Second, Third or Fourth Schedule of the PDPA applies (e.g. where the collection of an individual's NRIC number is necessary to respond to an emergency that threatens that individual's health). However, even where an exception applies, the organisation should still ensure that its conduct is reasonable in the circumstances.
In relation to (ii), such collection, use or disclosure would generally be deemed by the PDPC to be necessary where:
(a) the failure to accurately identify the individual to a high degree of fidelity may pose a significant safety or security risk (e.g. visitor entry to preschools where the safety of young children is of primary concern); or
(b) the inability to accurately identify an individual to a high degree of certainty may pose a risk of significant impact or harm to an individual and/or the organisation (e.g. fraudulent activities in relation to healthcare, financial or real estate matters).
Where either (a) or (b) above applies, the organisation may collect an individual's NRIC number (or copy of the physical NRIC) with proper notification and consent. In such circumstances, it would generally be considered reasonable for the organisation to require the individual's consent to collect, use or disclose his or her NRIC number for the stated purpose. For instance, a visitor may be denied entry into a preschool unless he or she consents to his or her NRIC number being collected for security purposes.
In addition, the organisation must be able to provide its justification for the applicability of either (a) or (b) upon request by either the individual or the PDPC.
Generally, the PDPC considers the collection of a copy of the NRIC to be the collection of all the personal data contained on that NRIC. Therefore, the organisation should consider whether such collection would be considered as excessive for its intended purpose and if alternatives could be adopted instead.
The organisation should generally not retain an individual's physical NRIC unless such retention is required under the law. The same restrictions will also apply to other identification documents containing NRIC numbers or other national identification numbers (e.g. driver's licence and work pass).
When considering alternatives to NRIC numbers, the organisation is required to assess the suitability of such alternatives based on their business and operational needs and ensure that such alternatives are reasonable and not excessive.
The Guidelines also provide some helpful examples of scenarios where the collection of NRIC is not required under the law and alternatives that an organisation may consider adopting. Such scenarios include the online purchase of movie tickets, signing for retail membership programmes and renting of bicycles.
Where an organisation chooses to collect only partial NRIC numbers, such collection (up to the last 3 numerical digits and checksum of the NRIC number) will not be considered as the collection of the full NRIC number and will not be subject to the requirements under the Guidelines. However, partial NRIC numbers will still be considered as personal data under the PDPA and therefore an organisation collecting such partial NRIC numbers will still be subject to the usual requirements under the PDPA.
In addition to the Guidelines, the PDPC has also issued a supplemental technical guide which provides detailed guidance on adopting possible alternatives to NRIC numbers, such as organisation or user-generated usernames, email addresses, mobile numbers and partial NRIC numbers. It also sets out certain key considerations for choosing a suitable alternative identifier. For instance, the replacement identifier should:
(a) be easily remembered by and unique to the individual;
(b) not contain sensitive information; and
(c) not be easily guessed by others.
The recommendations provided in this technical guide may prove useful in assisting organisations with complying with the new requirements under the Guidelines.
Organisations will be required to fully comply with the Guidelines from 1 September 2019. Therefore, in view of ensuring compliance by the stipulated deadline, organisations should review their existing business practices involving the collection, use or disclosure of NRIC numbers or physical NRIC (or other national identification numbers) and implement the necessary changes to ensure that their data collection practices fall within the allowed scope as set out in the Guidelines.