On 31 August 2018, the Personal Data Protection Commission of Singapore ("PDPC") issued new Advisory Guidelines on the Personal Data Protection Act ("PDPA") for NRIC and Other National Identification Numbers ("Guidelines"). These Guidelines clarify how organisations should collect, use, and disclose (collectively, "Process") personal data contained in the National Registration Identification Card ("NRIC") and similar national identification documents, including birth certificate numbers, work permit numbers, and foreign identification numbers.
The NRIC number is considered personal data because every Singapore citizen and permanent resident aged 15 years and above can be identified by the permanent, unique number assigned to him/her by the government. The NRIC number is commonly used in commercial transactions and those involving the government. The physical NRIC also contains key personal data including the individual's full name, residential address, date of birth, thumbprint, and photograph.
Due to the sensitive nature of the information which can be obtained from an individual's NRIC number, the PDPC now requires organisations to accord stronger protection to it. The Guidelines will be applied by the PDPC from 1 September 2019.
How the Guidelines affect employers
The general rule under the Guidelines is that organisations are not allowed to Process NRIC numbers or copies of NRICs, or physically hold NRICs, except in specifically permitted situations. These permitted situations are:
a) when Processing is required or authorised by written law ("Legal Requirement");
b) a consent exception under the PDPA applies ("Consent Exception");
c) when it is necessary to accurately establish or verify an individual's identity to a high degree of fidelity, in which case the organisation must notify the individual of the specific purpose for which it is Processing the individual's NRIC and obtain the individual's prior consent ("Highly Accurate Identification"); or
d) where the organisation Processes only the partial NRIC number of not more than the last 3 digits and last alphabet ("Partial NRIC"), subject to prior notification and consent, unless (a) or (b) apply.
If employers seek to rely on the permitted situations to Process NRICs, the onus is on them to justify that they come within a permitted situation. They must also comply with all the other legal obligations under the PDPA, including ensuring that their policies specifically address the need to Process NRICs and their processes sufficiently protect the NRIC numbers.
In the following sections, we discuss briefly how this rule applies to different categories of personnel typically handled by employers.
Job applicants at pre-employment stage
The PDPC states that there is no legal requirement for employers to obtain NRIC numbers for the purpose of job applications, so the Legal Requirement permitted situation does not apply.
Employers may consider whether they can rely on the Consent Exception of "evaluative purposes", or the Highly Accurate Identification situation, to Process NRIC numbers of job applicants in certain limited cases, such as for necessary background check processes which require the applicant's NRIC number as an identifier.
The PDPC points to Section 95 of the Employment Act ("EA"), which requires employers to maintain detailed employee records, including an employee's NRIC number (or foreign identification number, as the case may be), and states that an organisation may obtain its employees' NRIC numbers to comply with the EA. Processing employees NRICs therefore falls within the Legal Requirement permitted situation.
Currently, not all employees fall within the purview of the EA. However, this is likely to change in April 2019, when the EA is expected to be amended so that it applies to all levels of employees.
Independent contractors, consultants, gig workers
Section 95 of the EA does not apply to workers who are not legally "employees" of the organisation. This group comprises independent contractors, consultants, gig workers, and certain interns. Therefore, the organisation should carefully consider whether it may rely on any of the other permitted situations before deciding whether to Process NRICs of individuals falling within this category.
Employers must cease to hold their ex-employees' NRIC numbers as soon as retaining such data is no longer necessary for legal or business purposes. The PDPA does not prescribe a specific time frame for retention, as this is dependent on each organisation's specific needs.
What employers should do
Employers should promptly review their existing personal data collection policies and procedures ahead of the 1 September 2019 compliance deadline, with a view to avoiding Processing NRIC numbers or copies unless a clear written law authorises or permits them to do so, or they are able to justify Processing NRIC details under one of the other permitted situations for doing so.