Earlier this week, the Personal Data Protection Commission (PDPC) of Singapore issued new draft privacy guidelines (Proposed Advisory Guidelines on the Personal Data Protection Act for NRIC numbers) relating to the collection and use of National Registration Identification Card ("NRIC") numbers.
The NRIC number is a unique identifier issued to all Singaporeans at around the age of 15 and is used for all transactions with the Singapore Government. The NRIC includes a large amount of personal data including the full name of each individual, residential address, blood type, photograph, thumbprint, date of birth, race, country of birth and a unique number.
This NRIC number is, however, widely used by many organisations in Singapore to identify individuals for a broad variety of purposes. The PDPC has said that the "indiscriminate collection and use of individuals' NRIC numbers is of special concern as it increases the risk that NRIC numbers may be obtained and used for illegal activities such as identity theft and fraud."
In principle the PDPC is putting forward the position that NRIC numbers should not be collected, unless:
- The collection, disclosure or use is required by law; or
- The collection, use and disclosure is necessary to establish and verify the identity of the individual
In addition, the PDPC is proposing to clamp down on the widespread practice of collection of the physical NRIC by organisations, for example when visiting building premises or renting a bicycle. Organisations should not keep the physical NRIC of an individual unless they can justify it based on the two principles above. In particular, the PDPC is confirming the position that the collection and retention of the physical NRIC amounts to the act of collection of all the personal data found on the NRIC and its retention for the period the NRIC is kept.
Whilst this may appear to be a simple clarification to the law, the proposed change, if implemented, would require many organisations and businesses to change their current practices of using the NRIC numbers for purposes such as membership numbers. For this reason, the PDPC is proposing a 12 month grace period from the issue of final advisory guidelines, for organisations to implement the changes necessary.
The public consultation period for the Proposed Advisory Guidelines on the Personal Data Protection Act for NRIC numbers runs until 18 December 2017 and organisations may provide submissions on the proposals.