Friday 31 August 2018

Collecting NRIC numbers and making copies of the identity card will be illegal from Sept 1, 2019


From Sept 1 next year, it will be illegal for organisations to collect, use or disclose NRIC numbers or make copies of the identity card, under stricter rules spelt out on Friday (Aug 31) by the Personal Data Protection Commission.

2 comments:

Guanyu said...

Collecting NRIC numbers and making copies of the identity card will be illegal from Sept 1, 2019

HARIZ BAHARUDIN
31 August 2018

From Sept 1 next year, it will be illegal for organisations to collect, use or disclose NRIC numbers or make copies of the identity card, under stricter rules spelt out on Friday (Aug 31) by the Personal Data Protection Commission.

For years, places like shopping malls have collected NRIC numbers when registering customers for lucky draws and memberships or even to track parking redemptions.

But the updated rules mean organisations will no longer be allowed to do that.

Organisations that have collected NRIC numbers will also have to dispose of them by next year, following updates to the rules for such collection under the Personal Data Protection Act (PDPA), which went fully into force in July 2014.

"In today's digital economy, indiscriminate collection or negligent handling of NRIC numbers can increase the risk of unintended disclosure and may result in NRIC numbers being used for illegal activities such as identity theft or fraud," the commission said in a release on Friday (Aug 31).

It added that such risks arise as the NRIC number is a permanent and irreplaceable identifier.

Companies were also warned that unless required by the law, physically holding on to an individual's NRIC will not be allowed as well from Sept 1.

Although the Act already prohibits the indiscriminate collection of consumers' personal data, and requires organisations to account for the use of the data, privacy advocates argued that NRIC details were still being collected, sometimes for frivolous reasons. These ranged from booking a movie ticket to renting a bicycle.

Following public feedback, the privacy watchdog proposed updated guidelines which were then put up for public consultation from November to December last year, before the stricter rules were developed.

There are, however, exceptions.

NRIC numbers or copies of the NRIC can only be obtained or shared if they are required by law, such as when subscribing to a new phone line, making a doctor's appointment or checking into a hotel.

NRIC details may also be collected when it is necessary to precisely verify an individual's identity "to a high degree of fidelity".

This would include visiting pre-schools or transactions involving healthcare, financial or real estate matters, and when not getting it could risk security or could cause significant harm.

"Where the collection, use and disclosure of NRIC numbers or retention of physical NRICs is permitted, organisations must ensure that adequate protection measures are in place to safeguard the personal data in their possession or under their control, in compliance with their obligations under the PDPA," added the commission.

Organisations that are found flouting the Act can be fined up to $1 million.

These updated rules for NRIC numbers also apply to other national identification numbers, like birth certificate numbers, foreign identification numbers and work permit numbers.

Although passports are periodically replaced, the commission said that organisations should avoid collecting the full passport numbers of individuals as well, unless justified.

It acknowledged that some organisations collect a partial NRIC number and clarified that details of up to the last three numerical digits and letter of the NRIC would not be considered the full NRIC number.

But it added that these partial numbers are still considered personal data under the Act, as it could allow an individual to be identified.

The privacy watchdog reiterated that organisations that collect partial NRIC numbers must still comply with the Act's Data Protection Provisions, and must take steps to make sure this data is secured and not disclosed.

It said it does not prescribe the type of identifiers that organisations can use instead of NRIC numbers, and that organisations are encouraged to assess these alternatives based on their own needs.

Guanyu said...

Some alternatives it suggested include organisation or user-generated ID, tracking numbers or organisation-issued QR codes.

The commission said it will, together with the Infocomm Media Development Authority (IMDA), help organisations adjust by publishing a technical guide on replacing the NRIC number with alternative identifiers.

The commission and IMDA will identify pre-approved technology solutions that companies can take up.

They will also develop template notices that organisations can use to manage customer expectations during this transition period.