The Personal Data Protection Act 2012 (PDPA), which became effective on 2 July 2014, governs the collection, use and disclosure of individuals’ personal data by organisations. Organisations that fail to comply with PDPA may be fined up to S$1 million and suffer reputation damage. The Personal Data Protection Commission (the “Commission”) is the regulatory body that administers and enforces the PDPA and also provides public education to help organisations understand and comply with the PDPA.
In September 2013, the Commission issued Advisory Guidelines on Selected Topics (the “Guidelines”), which covered the topic of application of the PDPA to NRIC numbers. Since then, the Commission has received numerous queries and feedback from individuals and organisations regarding the collection, use and disclosure of NRIC numbers, as well as the collection of physical NRICs for business purposes. Accordingly, the Commission revised the chapter on NRIC numbers in the Guidelines to provide further assistance on such issues. The Commission held a public consultation exercise on the rules governing this subject matter, which ended on 18 December 2017.
In summary, the revised Guidelines address whether organisations may collect, use or disclose individuals’ NRIC numbers or a copy of their NRICs, or retain their physical NRICs; and whether other provisions of the PDPA may apply in connection with the collection, use or disclosure of NRIC numbers or copy of the NRICs, or the retention of the physical NRICs.
The changes seek greater protection of NRIC numbers and only permit the collection of such numbers where the law requires it, or when it is necessary to verify someone’s identity to prevent fraud or harm. These situations include when seeking emergency or medical treatment at hospitals or when entering into high-value transactions such as the purchase of property or insurance policies. NRIC numbers are not required to be collected, used or disclosed under the law in situations which include the rental of bicycles, the online purchase of movie tickets, the redemption of parking coupons and the participation in lucky draws held by shopping malls.
Staring in the middle of 2018 after the more stringent regime takes effect, consumers will not have to hand over their NRIC numbers in the above situations where the law does not require it. The responsibility will then shift to service providers to rely on other methods to identify their consumers, which may include relying on user-generated IDs or passwords, or QR codes.
A push factor for such a change is the serious threat of damage from fraud related to an individual’s NRIC numbers, because such numbers are permanent and irreplaceable identifiers that can be traced to a large amount of sensitive and personal information. Further, compared with credit card numbers, which can be easily deactivated or altered, an individual’s NRIC number is distinct and cannot be altered.
It has been routine practice for years for service providers in Singapore to indiscriminately collect customers’ NRIC numbers, and in some cases even customers’ physical NRICs, for a wide range of uses, from tracking parking redemptions to participating in lucky draws to purchasing movie tickets online. Such routine practices have been long criticised by privacy advocates, and the stricter rules have been cited as a progression in the right direction by such advocates.
Such shifts in the rules will require organisations to review their current business and operational procedures to implement alternatives to the collection, use and disclosure of NRIC numbers and the collection of physical NRICs. The Commission is proposing to allow organisations a period of up to 12 months after the issuance of the updated Guidelines to implement the necessary changes to its practices.