The NRIC or “National Registration Identity Card” is issued to individuals who are lawfully resident in Singapore and who have been registered under the National Registration Act (Cap. 201). The NRIC contains personal details such as the name, address, date of birth, gender, blood type and the national registration number of the person to whom it is issued.
It is an offence for any person to
- part with possession of his NRIC without lawful authority; or
- obtain an NRIC other than his own without lawful authority or reasonable excuse.
The penalty is a fine not exceeding $10,000 or to imprisonment for a term not exceeding 10 years or to both.
The information contained in an NRIC is also protected as personal data under the Personal Data Protect Act 2012 (PDPA).
Despite these laws, Singaporeans and organisations in Singapore do not seem to consider the NRIC as a confidential document. The following practices are common in Singapore:
- Individuals are required to hand over their NRIC in order to gain entry into buildings or events;
- Organisations often scan an individual’s NRIC to download details;
- Organisations routinely request individuals to provide their NRIC numbers for lucky draws, membership registration, subscription etc.
Proposed Advisory Guidelines on the Personal Data Protection Act for NRIC Numbers
With increased use of the internet and cloud based services, identity theft has become a big concern. Hence, it is very timely that the Personal Data Protection Commission (Commission) had called for public consultation on its Proposed Advisory Guidelines on the Personal Data Protection Act for NRIC Numbers (Draft NRIC Guidelines). The public consultation on the Draft NRIC Guidelines closes on 18 December 2017, and the finalised NRIC Guidelines are now eagerly anticipated.
The Draft NRIC Guidelines clarifies that the information contained in an individual’s NRIC is personal data protected under the PDPA, and that the collection of a physical copy of an NRIC is tantamount to collecting the personal data contained within the NRIC. The Draft NRIC Guidelines provide that organisations should not collect, use or disclose an individual’s NRIC number or the physical NRIC except where:
- It is required under the law, for example, when seeking medical treatment or when subscribing to a mobile telephone line; or
- It is necessary to accurately establish and verify the identity of the individual, for example, when entering into high value contracts or when applying for travel insurance.
The Draft NRIC Guidelines does not set new law, but merely clarifies the legal position under the PDPA. The PDPA provides that an organisation should consider what a reasonable person would consider to be appropriate in meeting its obligations under the PDPA. Arguably, it would not be reasonable for an organisation to demand for a physical copy of the NRIC or to collect, use or disclose an individual’s NRIC number except where it is required under the law or when it is necessary to accurately establish the identity of the individual. Keeping in mind that the NRIC contains information on an individual’s blood type, it is difficult for many organisations to justify their reasons for collecting such information!
The Draft NRIC Guidelines state that organisations will be given a period of 12 months to review and implement necessary changes to their current practices.
Although it may be some time before the finalised NRIC Guidelines are issued, organisations should take immediate steps to examine current practices, and consider whether the collection, use or disclosure of NRIC numbers or a physical copy of the NRIC is reasonable.
Is the current practice of collecting NRIC numbers reasonable?
Many organisations would seek to justify their current practices as reasonable because their systems are built to use NRIC numbers as identifiers. If it is possible for other identifiers to be used in place of NRIC numbers, arguably, it would not be reasonable for the organisation to continue to use NRIC numbers as identifiers because of potential risks to the individuals in the event of a data breach.
The Commission has issued the Proposed Technical Guide to NRIC Advisory Guidelines which assists organisations in considering whether alternative identifiers may be used in current systems and new systems. This indicates that the Commission requires organisations to make changes to existing systems by replacing the NRIC numbers with other identifiers, and that the cost associated with making such changes would not, in itself, be sufficient justification for not making the necessary changes.
As mentioned above, the Draft NRIC Guidelines has not introduced new law, but merely clarifies the law. In the circumstances, we recommend that organisations take immediate steps to review their practices and processes without waiting for the finalised NRIC Guidelines. The risks to the individuals would have to be considered against the costs to the organisation to revamp its systems. All findings and conclusions should be documented especially if the organisation determines that, on a balance, it will not use another identifier in place of the NRIC number.
How we can help
We help our clients to review their practices and processes, and to develop alternative practices and processes which are in compliance with the relevant laws.
We offer a full suite of services to help organisations comply with data protection laws of Singapore, and those of other countries which apply to them.