Legal Bulletin November 2017

Home : Publications:Legal Bulletin November 2017


Published date: 29 Nov 2017

PDPC consults on revised advisory guidelines relating to NRIC numbers

Between 7 November 2017 and 18 December 2017, the Personal Data Protection Commission (“PDPC”) is conducting a public consultation on proposed revisions to the chapter on National Registration Identification Card (“NRIC”) numbers in the Advisory Guidelines on the Personal Data Protection Act (“PDPA”) for Selected Topics (“advisory guidelines”).
 
Since issuing the advisory guidelines in September 2013, PDPC has received queries and feedback from individuals and organisations regarding the collection, use and disclosure of NRIC numbers, as well as the collection of physical NRICs for business purposes. PDPC is therefore proposing revisions to the chapter on NRIC numbers in the advisory guidelines to clarify how the PDPA applies to the collection, use, or disclosure of an individual’s NRIC number, copy of NRIC or physical NRIC by organisations, as well as other data protection obligations required.
 
It is notable that a “sunrise” period of 12 months has been proposed for “organisations to review and implement changes to their practices and processes” and that the proposed advisory guidelines specifically state that “similar treatment may apply to other unique identifiers and identification documents (e.g. passport and passport numbers)”.
 
This article describes below various aspects of the proposed revisions.
 
Organisations should not collect, use, or disclose NRIC numbers unless required by law or necessary to accurately establish and verify an individual’s identity
 
The proposed revised advisory guidelines provide that generally organisations should not collect, use or disclose an individual’s NRIC number or a copy of the NRIC unless required by law or necessary to accurately establish and verify an individual’s identity.
 
Some examples set out in the revised advisory guidelines of situations where the collection, use or disclosure of NRIC numbers or copies of the NRIC may be required under the law include seeking medical treatment at a general practitioner’s clinic (Private Hospitals and Medical Clinics Regulations), enrolling into a child care centre (Child Care Centres Regulations), checking into a hotel (Hotels Licensing Regulations) and subscribing to a mobile telephone line (Telecommunications Act).
 
Circumstances under which PDPC would consider it necessary to accurately establish and verify the identity of individuals include situations or transactions where verification is necessary to prevent a risk of significant harm or impact to the individual and/or the organisation, for example entering into high value contracts such as property transactions, and applications for healthcare or travel insurance to prevent fraudulent claims.
 
Organisations should not retain physical NRIC unless required by law or necessary to accurately establish and verify an individual’s identity
 
In general, organisations should not retain an individual’s physical NRIC unless required under the law, or where it is necessary to accurately establish and verify the identity of the individual. As retaining an individual’s physical NRIC or copy of the NRIC is considered as collection of the personal data on the physical NRIC, the data protection provisions of the PDPA in respect of that collection would be applicable.
 
PDPC clarifies in the proposed revised advisory guidelines that even if an organisation temporarily retains an individual’s physical NRIC (e.g. as collateral) without recording any personal data contained in the NRIC, PDPC generally considers the organisation to have collected all the personal data in the NRIC, for the duration the physical NRIC is in the possession or under the control of the organisation. As examples, the proposed revised advisory guidelines provide that in rental of bicycles and issuance of visitor badges, the physical NRICs should not be retained.
 
Where an organisation requests for but does not retain an individual’s physical NRIC and the information on it for verification purposes, PDPC may consider that there was no intention to obtain control or possession of the physical NRIC. Hence there is no collection or retention of personal data on the physical NRIC.
 
Organisations to adopt suitable alternatives based on business and operational needs and avoid collecting excessive personal data
 
As PDPC does not prescribe the types of identifiers that organisations should adopt in place of NRIC numbers or copy of the NRIC, organisations are expected to assess the suitability of alternatives based on their own business and operational needs. Organisations should also ensure that the alternatives provided are reasonable and avoid excessive collection of personal data as an alternative to the individual’s NRIC numbers or a copy of the NRIC.
 
Some alternatives that have been adopted by organisations include organisation/user-generated ID or password, tracking number, organisation-issued QR code, or monetary deposit. The proposed revised guidelines set out some examples to illustrate scenarios where the collection, use or disclosure of NRIC numbers or a copy of the NRIC is not required under any law, and some alternatives that organisations can consider adopting. For example:
 
·         Malls can track redemption of free parking by recording vehicle numbers or mobile phone numbers.
 
·         Cinemas could issue customers with a booking reference number or an SMS confirmation to verify the identity of customers who purchase movie tickets online when they collect the movie tickets.
 
·         Retailers could allow its members to use an email address or a store generated identifier for establishing and verifying identities in membership programmes.
 
·         Retailers conducting a lucky draw may consider collecting the full name and contact information (e.g. email address) of participating customers for the purpose of contacting the winners of the lucky draw and verifying the identities of the winners.
 
Organisations to have 12 months to review and implement the necessary changes to its practices and processes
 
PDPC is proposing to allow organisations a period of 12 months from the issuance of the revised advisory guidelines, to review and implement the necessary changes to its practices and processes involving the collection, use or disclosure of NRIC numbers, physical NRIC or copies of the NRIC.
 
Proposed technical guide on alternatives in place of NRIC numbers on websites and other public facing computer systems
 
PDPC has also released for public consultation a proposed technical guide to accompany the revised advisory guidelines. The proposed technical guide provides guidance on the alternatives that can be considered in place of the NRIC number as a unique identifier used on websites and other public facing computer systems.
 
Reference materials
 
The following materials are available from the PDPC website www.pdpc.gov.sg or by clicking here:
 
·         Cover Note
 
·         Proposed Advisory Guidelines on the PDPA for NRIC Numbers
 
·         Proposed Technical Guide to NRIC Advisory Guidelines
 
 
For further information, please contact:
 
+65 6890 7883
 
+65 6890 7852
 
+65 6890 7526
 
+65 6890 7627
 
+65 6890 7833
 

<Back to Legal Bulletin November 2017

Find a Publication

For more information on Singapore law, please go to: www.singaporelaw.sg