Wednesday, 9 October 2019

Stricter NRIC data collection rules to kick in from Sunday


Companies have less than a week to comply with stricter rules by Singapore's privacy watchdog governing the use, collection and disclosure of the NRIC and other national identification numbers.
In a statement yesterday, the Personal Data Protection Commission (PDPC) reminded organisations that unless required by law, from Sept 1, it will be illegal for organisations to physically hold on to an individual's NRIC and collect its full number.

This applies to birth certificate numbers, foreign identification numbers and work permit numbers as well. The commission had announced changes to the NRIC advisory guidelines last year as a result of established practices that involved the rampant use of the NRIC.

Details from the NRIC were being used in a range of situations - from people filling out lucky draw coupons and membership applications, to retailers registering customers for parking redemptions.
"NRIC numbers are a permanent and irreplaceable identifier issued by the Singapore Government primarily for public administration purposes and to facilitate transactions with the Government.
"As NRIC numbers can be used to retrieve data relating to individuals, there is a need to reduce indiscriminate or unjustified collection and negligent handling of NRIC numbers," the PDPC said in its statement.

Organisations that have collected the NRIC numbers have been encouraged to assess if they need to retain these numbers and, if not, the commission suggests they dispose of them responsibly and in compliance with the Personal Data Protection Act (PDPA) disposal methods.

The law already prohibits the indiscriminate collection of consumers' personal data and requires organisations to account for its use.

But privacy advocates have argued that NRIC details were still being collected, sometimes for frivolous reasons.

From Sunday, NRIC numbers or copies of the NRIC can be obtained or shared only if they are required by law, such as when subscribing to a new phone line, making a doctor's appointment or checking into a hotel.

NRIC details may also be collected when it is necessary to precisely verify an individual's identity to a high degree of accuracy.

This would include visiting pre-schools or transactions involving healthcare, financial or real estate matters.

Organisations that continue to indiscriminately collect, use or disclose NRIC numbers would be flouting the PDPA, and could incur a financial penalty of up to $1 million.

One company that has made changes to the way it uses the NRIC is security services company Prosegur Security, which employs about 1,400 security officers in Singapore.

In the past, some of its clients had asked the company to collect the NRIC - either the full number or the card itself - before allowing visitors to enter their premises.

The company now tells its clients that such requests cannot be made, and amendments have been made to its standard operating procedures (SOPs), including the way clients verify the identity of visitors.

Mr Vincent Wong, human resource manager at Prosegur Security, said: "Clients generally are also earnest about doing the right thing and are participative in implementing, amending or enforcing SOPs in line with the requirements."

Its staff have also been briefed about the dos and don'ts of data collection.

About three months ago, the company disseminated the PDPC's advisory guidelines to the sites where its staff work, to allow the officers to refer to them when they need to.

Recruitment portal JobStreet has also taken steps to get itself ready before the Sept 1 deadline.
A spokesman told The Straits Times that since June, it no longer collects the NRIC numbers of job candidates as an optional identifier on its online registration form.

Those who had previously provided the numbers were informed that the company would remove the numbers from its databases from June.

Who can collect NRIC numbers from Sept 1?
From Sunday, organisations will be legally barred from collecting, using or disclosing NRIC numbers or making copies of the identity card, under new and stricter rules enforced by Singapore's privacy watchdog, the Personal Data Protection Commission.
Organisations that flout the Personal Data Protection Act can incur a financial penalty of up to $1 million.

WHEN DO I NOT HAVE TO GIVE UP MY NRIC?
Unless required by law or when it is necessary to accurately identify you, you do not need to give your full national identification number. The organisation also cannot retain your card.
This includes when applying for retail memberships, signing up for contests or lucky draws, renting a bicycle, buying movie tickets online or completing survey forms - longstanding practices that use the NRIC details as identifiers.

You should also not furnish your NRIC or its details when entering the premises of a private condominium or using a computer at an Internet cafe.

WHEN MUST I RELEASE MY NRIC INFORMATION?
You have to provide the information when the law requires it. For example, when seeking medical treatment at a general practitioner clinic, which is required under the Private Hospitals and Medical Clinics Regulations.

The information is also required under the Hotel Licensing Regulations, when you are checking into a hotel.

Subscribing to a phone line also requires you to give your NRIC details, under the Telecommunications Act. You can also be asked to give your NRIC details when the inability to identify you accurately could cause significant harm.

The details may also be needed for property transactions or healthcare matters, such as when applying for insurance and making medical claims.

MUST I SHOW MY NRIC WHEN ASKED TO VERIFY MY AGE, OR TO VERIFY MY IDENTITY?
This is allowed, when just the sight of an individual's physical NRIC and information is needed for verification purposes.

It is permitted as long as there is no intention to control or possess the physical NRIC, no personal data is retained and the NRIC is returned immediately.

DO THE NEW RULES APPLY ONLY TO THE NRIC?
The stricter rules apply also to cards with your NRIC number on them, like a driver's licence, as well as other national identification numbers like birth certificate numbers, foreign identification numbers and work permit numbers.

While passport numbers are periodically replaced, organisations should avoid collecting the full passport numbers of individuals as well, unless justified.

WHAT ARE ALTERNATIVES TO THE NRIC FOR IDENTIFICATION PURPOSES?
Alternatives may include organisation or user-generated IDs, tracking numbers or organisation-issued QR codes, or partial NRIC details of up to the last three numerical digits and letter.

WILL I STILL BE ASKED FOR MY NRIC DETAILS TO ACCESS GOVERNMENT SERVICES AND PREMISES?
Yes. The advisory guidelines on the NRIC do not apply to the Government.

The NRIC number is a unique identifier assigned by the Government to each Singapore resident that is often used for transactions with the Government.

As the issuing authority for the NRIC, the Government says it rightfully uses the NRIC to discharge its functions and services with citizens in a secure manner.