Companies
have less than a week to comply with stricter rules by Singapore's privacy
watchdog governing the use, collection and disclosure of the NRIC and other national
identification numbers.
In a
statement yesterday, the Personal Data Protection Commission (PDPC) reminded
organisations that unless required by law, from Sept 1, it will be illegal for
organisations to physically hold on to an individual's NRIC and collect its
full number.
This applies
to birth certificate numbers, foreign identification numbers and work permit
numbers as well. The commission had announced changes to the NRIC advisory
guidelines last year as a result of established practices that involved the
rampant use of the NRIC.
Details from
the NRIC were being used in a range of situations - from people filling out
lucky draw coupons and membership applications, to retailers registering
customers for parking redemptions.
"NRIC
numbers are a permanent and irreplaceable identifier issued by the Singapore
Government primarily for public administration purposes and to facilitate
transactions with the Government.
"As
NRIC numbers can be used to retrieve data relating to individuals, there is a
need to reduce indiscriminate or unjustified collection and negligent handling
of NRIC numbers," the PDPC said in its statement.
Organisations
that have collected the NRIC numbers have been encouraged to assess if they
need to retain these numbers and, if not, the commission suggests they dispose
of them responsibly and in compliance with the Personal Data Protection Act
(PDPA) disposal methods.
The law
already prohibits the indiscriminate collection of consumers' personal data and
requires organisations to account for its use.
But privacy
advocates have argued that NRIC details were still being collected, sometimes
for frivolous reasons.
From Sunday,
NRIC numbers or copies of the NRIC can be obtained or shared only if they are
required by law, such as when subscribing to a new phone line, making a
doctor's appointment or checking into a hotel.
NRIC details
may also be collected when it is necessary to precisely verify an individual's
identity to a high degree of accuracy.
This would
include visiting pre-schools or transactions involving healthcare, financial or
real estate matters.
Organisations
that continue to indiscriminately collect, use or disclose NRIC numbers would
be flouting the PDPA, and could incur a financial penalty of up to $1 million.
One company
that has made changes to the way it uses the NRIC is security services company
Prosegur Security, which employs about 1,400 security officers in Singapore.
In the past,
some of its clients had asked the company to collect the NRIC - either the full
number or the card itself - before allowing visitors to enter their premises.
The company
now tells its clients that such requests cannot be made, and amendments have
been made to its standard operating procedures (SOPs), including the way
clients verify the identity of visitors.
Mr Vincent
Wong, human resource manager at Prosegur Security, said: "Clients
generally are also earnest about doing the right thing and are participative in
implementing, amending or enforcing SOPs in line with the requirements."
Its staff have
also been briefed about the dos and don'ts of data collection.
About three
months ago, the company disseminated the PDPC's advisory guidelines to the
sites where its staff work, to allow the officers to refer to them when they
need to.
Recruitment
portal JobStreet has also taken steps to get itself ready before the Sept 1
deadline.
A spokesman
told The Straits Times that since June, it no longer collects the NRIC numbers
of job candidates as an optional identifier on its online registration form.
Those who
had previously provided the numbers were informed that the company would remove
the numbers from its databases from June.
Who can collect NRIC numbers from Sept 1?
From Sunday,
organisations will be legally barred from collecting, using or disclosing NRIC
numbers or making copies of the identity card, under new and stricter rules
enforced by Singapore's privacy watchdog, the Personal Data Protection
Commission.
Organisations
that flout the Personal Data Protection Act can incur a financial penalty of up
to $1 million.
WHEN DO I
NOT HAVE TO GIVE UP MY NRIC?
Unless
required by law or when it is necessary to accurately identify you, you do not
need to give your full national identification number. The organisation also
cannot retain your card.
This
includes when applying for retail memberships, signing up for contests or lucky
draws, renting a bicycle, buying movie tickets online or completing survey
forms - longstanding practices that use the NRIC details as identifiers.
You should
also not furnish your NRIC or its details when entering the premises of a
private condominium or using a computer at an Internet cafe.
WHEN MUST I
RELEASE MY NRIC INFORMATION?
You have to
provide the information when the law requires it. For example, when seeking
medical treatment at a general practitioner clinic, which is required under the
Private Hospitals and Medical Clinics Regulations.
The
information is also required under the Hotel Licensing Regulations, when you
are checking into a hotel.
Subscribing
to a phone line also requires you to give your NRIC details, under the
Telecommunications Act. You can also be asked to give your NRIC details when
the inability to identify you accurately could cause significant harm.
The details
may also be needed for property transactions or healthcare matters, such as
when applying for insurance and making medical claims.
MUST I SHOW
MY NRIC WHEN ASKED TO VERIFY MY AGE, OR TO VERIFY MY IDENTITY?
This is
allowed, when just the sight of an individual's physical NRIC and information
is needed for verification purposes.
It is
permitted as long as there is no intention to control or possess the physical
NRIC, no personal data is retained and the NRIC is returned immediately.
DO THE NEW
RULES APPLY ONLY TO THE NRIC?
The stricter
rules apply also to cards with your NRIC number on them, like a driver's
licence, as well as other national identification numbers like birth
certificate numbers, foreign identification numbers and work permit numbers.
While
passport numbers are periodically replaced, organisations should avoid
collecting the full passport numbers of individuals as well, unless justified.
WHAT ARE
ALTERNATIVES TO THE NRIC FOR IDENTIFICATION PURPOSES?
Alternatives
may include organisation or user-generated IDs, tracking numbers or organisation-issued
QR codes, or partial NRIC details of up to the last three numerical digits and
letter.
WILL I STILL
BE ASKED FOR MY NRIC DETAILS TO ACCESS GOVERNMENT SERVICES AND PREMISES?
Yes. The
advisory guidelines on the NRIC do not apply to the Government.
The NRIC
number is a unique identifier assigned by the Government to each Singapore
resident that is often used for transactions with the Government.
As the
issuing authority for the NRIC, the Government says it rightfully uses the NRIC
to discharge its functions and services with citizens in a secure manner.