27 September, 2018
On 31 August 2018, the Personal Data Protection Commission in Singapore (the "Commission") issued its Advisory Guidelines on the Personal Data Protection Act of Singapore (the "PDPA") for NRIC and Other National Identification Numbers (the "Guidelines"). The Guidelines follow the conclusion of the public consultation conducted by the Commission from 7 November 2017 to 18 December 2017 in a bid to review existing industry practices as well as evaluate past feedback from the public on the collection, use and disclosure of National Registration Identity Card ("NRIC") numbers. The Guidelines aim to clarify instances where organisations are permitted to collect, use or disclose NRIC numbers and other similar types of personal data.
Why were the Guidelines introduced?
Prior to the Guidelines, the rules concerning the collection of NRIC numbers and/or the retention of the physical NRIC for business purposes, of which such purposes must be reasonable, generally required the individual's consent. Organisations were broadly advised to consider available alternatives for identification purposes and assess their existing procedures, resulting in some extent of uncertainty from the public in relation to the collection of NRIC numbers. The Guidelines were issued to provide greater clarity on PDPA compliance in response to the public consultation conducted by the Commission for addressing queries and feedback from the public concerning the handling of NRICs. The Commission stressed that the NRIC number is a permanent and irreplaceable identifier which can potentially grant access to large amounts of information relating to the individual. The physical NRIC also contains other personal data of the individual, such as the individual's full name, photograph, thumbprint and residential address. As such, the collection, use and disclosure of NRIC numbers merit special concern to prevent indiscriminate or negligent handling that may lead to criminal activities such as identity theft and fraud.
What are the key points of the Guidelines?
Under the Guidelines, the treatment for NRIC numbers also applies to Passport numbers, Birth Certificate numbers, Foreign Identification Numbers and Work Permit numbers. Organisations are generally not allowed to collect, use or disclose NRIC numbers (or copies of the NRIC) unless in the following specified circumstances:
It is required under the law – Some statutory laws require organisations to carry out proper documentation and accurate verification of an individual's identity to maintain accurate, complete and up-to-date records for safety and security reasons. Organisations to which this may apply include hospitals, hotels, telecommunications providers, educational institutions and companies in the course of hiring/managing employees.
An exception under the PDPA applies – Certain circumstances listed under the PDPA are exceptions to the consent requirement when it comes to collecting, using or disclosing an individual's NRIC number. This may include situations where: there are medical emergencies, the personal data is publicly available, personal data is necessary for any investigation or proceedings, and an organisation reasonably requires the personal data to manage the employment relationship with its employees.
It is necessary to accurately establish or verify the identities of the individuals to a high degree of fidelity – where failure to do so may:
a) pose a significant safety or security risk – for example, for visitor entry to preschools where the safety and security of young children are paramount concerns; or
b) pose a risk of significant impact or harm (e.g. reputational, financial, personal or proprietary damage) to an individual and/or the organisation – for example, in relation to transactions that relate to healthcare, financial and real estate matters, particularly in the course of conducting 'know your customer' ("KYC") checks.
The examples illustrated above are not meant to be exhaustive and the Commission has advised organisations to assess accordingly as to whether the particular situation warrants the verification of the individual's identity to a high degree of fidelity.
The Commission placed emphasis on the risks associated with retaining the physical NRIC where the individual would be greatly impacted if the physical NRIC is misplaced, stolen or used for illegal activities such as fraud. As such, organisations should only retain the physical NRIC if it is required under the law.
Who will this affect and how should parties ensure compliance?
Like the PDPA, the Guidelines apply to all organisations which collect data, and "collection" of data refers to any act or set of acts through which an organisation obtains control over or possession of personal data. The Commission has stated that the aim of the Guidelines on the collection of NRIC numbers is to enhance consumer protection against indiscriminate and unjustified collection, use and disclosure of individuals' NRIC numbers in connection with common business practices. These include instances such as redemption of free parking, signing up for club or retail membership, participating in lucky draws/loyalty programmes and online shopping, which are matters that should not require NRIC numbers to be collected.
In light of all the above, organisations should implement suitable alternatives in the absence of permissible or reasonable grounds for obtaining NRIC numbers. However, it would be prudent for organisations to assess the suitability of alternatives and consider whether such alternatives are reasonable according to their business and operational needs. The Commission recommends collecting partial NRIC numbers up to the last three numerical digits where other alternatives are not satisfactory, although partial NRIC numbers would still be considered personal data under the PDPA to the extent that the individual can be identified. Merely sighting an individual's physical NRIC for verification purposes in circumstances where there are age restrictions would not be considered a collection of personal data under the PDPA.
When will the Guidelines take effect?
All organisations are required to comply with effect from 1 September 2019. The Commission recognises that organisations may need time to review and implement necessary changes to their existing business practices to ensure that they comply with their obligations under the PDPA, and that their data protection measures remain sustainable.
How can we help you?
The Guidelines aim to provide greater clarity on the collection, use and disclosure of NRIC numbers and should be an integral part of the organisation's overall data protection policy framework. We are well placed to assist you with the setting up of your organisation's data protection infrastructure from a Singapore PDPA perspective with respect to the collection, use and disclosure of personal data, as well as to review existing processes to assess your organisation's compliance with the PDPA.
We work closely with our London office as one global data protection team providing streamlined data protection advice on any additional impacts of the General Data Protection Regulation (GDPR) and have significant experience in running joint PDPA and GDPR compliance projects for our clients.
This section is contributed by Sheetal Sandhu, senior associate, Virtus Law LLP (a member of the Stephenson Harwood (Singapore) Alliance).
For further information, please contact:
Elaine Beh Partner, Virtus Law LLP
(a member of the Stephenson Harwood (Singapore) Alliance)
elaine.beh@shlegalworld.com
