Is It Legal for Businesses to Ask for Your NRIC in Singapore?
As reported in our Legal News article, with effect from 1 September 2019 it will be illegal for organisations to collect, use or disclose Singapore National Registration Identification Card (NRIC) numbers, or make copies of the NRIC.
This article aims to explain the new rules of collection, use and disclosure of the NRIC under the Personal Data Protection Act (PDPA), with special regard to an individual’s rights when organisations attempt to collect or retain your NRIC.
It will cover the following:
- What is an NRIC?
- Why were the new NRIC rules implemented?
- Exceptions to the new NRIC rules
- Can an organisation ask for my NRIC?
- What happens if an organisation asks to see my NRIC without collecting it?
- Can an organisation retain my NRIC?
- What are the alternatives to collecting my NRIC?
- What happens to my NRIC Number which organisations have collected so far?
- How can organisations ensure continued compliance with the PDPA?
- Do the new NRIC rules apply to other identification documents and numbers as well?
The NRIC is a card issued by the Singapore Government to every Singapore citizen and permanent resident within 1 year after he/she attains the age of 15 years.
Each card holds a unique NRIC number. Since the NRIC number of an individual can be used to identify that individual, it is therefore considered personal data under the PDPA.
The NRIC also contains other personal information such as one’s:
Why were the New NRIC Rules Implemented?
The new rules are targeted at restricting the types of situations in which organisations, such as commercial parties, may collect NRIC numbers and/or handle physical NRICs.
These rules were made with the recognition that the NRIC number is a permanent and irreplaceable identifier through which a large amount of an individual’s information can be unlocked.
As the new rules would prevent indiscriminate or negligent handling of the NRIC number and physical NRIC, there would be less room for unintended disclosure of NRIC numbers and other personal information to take place, minimising the risks of identity theft and fraudulent impersonation.
Exceptions to the New NRIC Rules
There are some exceptional situations in which organisations are permitted to obtain, use, or disclose NRIC numbers or copies of the NRIC.
1. Where required by law
The law requires that organisations collect an individual’s NRIC number or copies of the NRIC, whether for the purposes of verifying the individual’s identity or for maintaining records of the transaction, in specific situations.
These situations include:
- When one is seeking treatment at a clinic (pursuant to the Private Hospitals and Medical Clinics Regulations);
- When one is checking into a hotel (pursuant to the Hotel Licensing Regulations);
- When subscribing to a mobile phone plan (pursuant to the Telecommunications Act);
- When receiving massage services at a massage establishment (pursuant to the Massage Establishments Rules);
- When enrolling into a private education institution (pursuant to the Private Education Regulations); or
- When an individual is a new employee joining an organisation (pursuant to the Employment Act).
Additionally, there are rare situations in which organisations can collect, use, or disclose an individual’s NRIC number (or copy of NRIC) without the individual’s consent.
A key example would be emergency situations, where an individual’s life, health, or safety is under threat.
The Personal Data Protection Commission (PDPC) gives the example of an individual at a medical centre who becomes unconscious after sustaining a fall and requires urgent attention at a hospital.
In this case, the staff at the medical centre are permitted to provide the hospital with the individual’s personal data (including his name, NRIC number and medical allergies).
2. Where establishing and verifying an individual’s identity to a “high degree of fidelity” is required
NRIC numbers may be collected if it is necessary to accurately establish and verify an individual’s identity.
Such situations fall into 2 main categories:
- Where the failure to identify the individual to a high degree of fidelity (accurately or precisely) may pose a significant safety or security risk, for example:
- When a visitor is entering a pre-school, where it is important to ensure the safety and security of young children.
- Where the inability to accurately identify an individual to a high degree of fidelity may pose a risk of significant impact or harm to an individual and/or the organisation (e.g. fraudulent claims). Such situations include:
- Healthcare transactions;
- Financial transactions;
- Real estate transactions;
- Insurance applications and claims;
- Applications and disbursements of substantial financial aid;
- Background credit checks with credit bureau; and
- Medical check-ups and requests for medical reports.
For public agencies
It should be noted that the new NRIC rules under the PDPA, do not apply to transactions with Singapore public agencies (i.e. Government Ministries, Statutory Boards, and Organs of State).
Instead, data protection and data sharing requirements for public agencies are provided for by the Public Sector Governance Act (PSGA). The Act prescribes a separate set of standards for public agencies that is more stringent than the PDPA requirements.
For example, public agencies and their information security systems are subject to regular compulsory audits for compliance with data protection requirements.
The Government has also implemented other data protection measures, such as internet surfing separation on government systems, which are not required of private organisations governed by the PDPA.
Under the PSGA, a public servant who falls afoul of the rules by disclosing protected information without authorisation or by misusing such information could be found guilty of a criminal offence (punishable by a fine or jail term).
Can an Organisation Ask for My NRIC?
As mentioned above, from 1 September 2019, it will be illegal for organisations such as businesses to collect, use, or disclose NRIC numbers of individuals, or to make copies of the NRIC.
Additionally, it will be illegal for organisations to physically hold on to a person’s NRIC, unless this is permitted by the law.
Some situations in which it will no longer be possible for organisations to request for your NRIC number or make copies of the physical card include:
- Participation in a lucky draw
- Purchase of movie tickets
- Redemption of free parking coupons
- Signing up for retail membership
- Submitting feedback for a product or service
- Online purchases
What Happens If an Organisation Asks to See My NRIC Without Collecting It?
In some cases, an organisation may request to merely see an individual’s physical NRIC to verify his or her identity. This is allowed so long as the organisation does not retain any personal information and returns the NRIC immediately.
For example, a business is permitted to request to see an individual’s NRIC for age-restricted purchases such as the purchase of alcohol or tobacco, or when the individual is seeking to enter a club or casino.
Can an Organisation Retain My NRIC?
Organisations are also not allowed to retain an individual’s physical NRIC.
This includes bike rental companies (who may want to retain the NRIC as collateral to ensure that individuals return rented bicycles) and security guards at condominiums (who may want to retain the NRIC to establish the identities of visitors and ensure safety of the estate).
What are the Alternatives to Collecting My NRIC?
If the situation in which the organisation asks for your NRIC is not one for which the law allows them to do so, (E.g. entering a lucky draw or seeking to redeem a prize), it would be wise to offer other identification data instead.
For example, you may disclose your partial NRIC number (i.e. last 3 numerical digits and letter) or mobile number.
Why is the disclosure of partial NRIC number allowed?
The risks associated with the disclosure of NRIC number (such as an identity theft as mentioned above) are lower when only the partial NRIC number is collected.
Therefore, collection of the partial NRIC number is not subject to the new rules which restrict collection of the full NRIC number.
Nonetheless, the partial NRIC number is considered personal data under the PDPA as it can still identify the individual, especially if the organisation carries other information relating to the individual.
Hence, organisations that collect partial NRIC numbers must still abide by the Data Protection Provisions of the PDPA. This requires that reasonable security arrangements be made to ensure that the information is secure against unauthorised disclosure.
Suitable alternatives in specified instances
The PDPC has suggested that alternative pieces of information be employed by organisations to verify individuals’ identities in specific instances, for example:
- For redemption of free parking: the partial NRIC number, vehicle registration number or mobile phone number;
- For online purchase of movie tickets: the cinema operator can issue customers a booking reference number or make use of SMS verification;
- For retail membership sign-ups and lucky draws: the full name, partial NRIC numbers, mobile numbers, email addresses, or mailing addresses of customers;
- For submission of product feedback: individuals’ full names and contact details;
- To establish visitors’ identities at private condominiums: the visitors’ full names, partial NRIC numbers, contact details, or vehicle registration numbers;
- For bike rental: in place of temporary retention of the physical NRIC, bike rental companies may collect other forms of collateral, such as a reasonable monetary deposit.
Organisations may also make use of the following to identify an individual:
What Happens to My NRIC Number which Organisations have Collected So Far?
Organisations must consider if retention is necessary, and if not, dispose of your NRIC information responsibly.
Before the new rules take effect on 1 September 2019, the PDPC encourages organisations that have already collected NRIC numbers to consider if retention of these numbers is necessary.
Retention is unnecessary if the purpose for which the personal data was collected is no longer served by the retention of the personal data, or retention is no longer necessary for business or legal purposes.
If retention is assessed to be unnecessary, organisations should dispose of the information responsibly in accordance with PDPA disposal methods before the new rules kick in.
Retention may be unnecessary where, for example, an individual’s NRIC number was collected for the purpose of identification when he entered into a lucky draw, but the lucky draw has long since concluded and the winners have been identified and contacted.
In this case, there is no longer a need for the business to possess the individual’s NRIC number. Accordingly, the business should dispose of the NRIC information.
Organisations must ensure that your NRIC information is securely stored
Should organisations choose to retain their collection of NRIC numbers, they must ensure sufficient protection of the information, or anonymise the information such that NRIC numbers cannot be linked with particular individuals.
Organisations may notify you on what is being done to protect your NRIC information
Organisations have been encouraged to notify their clients and other stakeholders on their plans in respect of NRIC information already collected. They may use this notification template provided by the PDPC.
How can Organisations Ensure Continued Compliance with the PDPA?
Going forward, organisations permitted to collect NRIC information have to comply with the Data Protection Provisions under the PDPA.
They must make reasonable security arrangements to protect the NRIC information, such as by employing technology to ensure secure storage of data.
Do the New NRIC Rules Apply to Other Identification Documents and Numbers as well?
The rules restricting the collection, use, or disclosure of NRIC information also apply to other documents containing one’s NRIC number, such as:
- Driver’s licences; and
- Work passes.
The new rules are similarly covered under other national identification numbers such as:
- Birth certificate numbers;
- Foreign Identification numbers (FIN); and
- Work Permit numbers.
The risks of identity theft and fraud are not to be taken lightly.
Therefore, when asked to disclose sensitive personal information such as your NRIC number, always check if the situation at hand is one that requires such disclosure.
If you represent an organisation, do be mindful of the new rules, and work with your data protection officer to take the necessary steps to ensure compliance.
If in doubt, speak to a data protection lawyer.
- Annual General Meetings (AGMs) in Singapore: What are They?
- Anti-Money Laundering Regulations and Your Business: What You Need to Know
- Price-Fixing, Bid-Rigging and Other Anti-Competitive Practices to Avoid
- The Business Owner’s Guide to Dividend Payments in Singapore
- Company Audits in Singapore: Requirements and Exemptions
- How to Transfer Shares in a Singapore Private Company: The Essential Guide
- How to Hold an Extraordinary General Meeting (EGM) in Singapore
- How to Issue Shares in a Singapore Private Company
- How to Reduce the Share Capital of Your Singapore Company
- How Businesses Can Legally Conduct Lucky Draws in Singapore
- Essential Regulatory Compliance Guide for Singapore Companies
- Finding a Suitable Corporate Secretarial Firm in Singapore
- Oppression of Minority Shareholders
- Process Agents in Singapore
- Company Constitution in Singapore: What It is and How to Draft One
- How to Set Up a Register of Controllers
- How to Set Up a Register of Nominee Directors
- Memorandum of Understanding (MOU): Does Your Business Need One?
- Minutes of Company Meeting in Singapore: How to Record
- Company Resolutions: What are They?
- Company Memorandum and Articles of Association
- Filing Annual Returns For Your Business
- Shadow Directors: Who are They and What Duties Do They Owe to the Company?
- Director's Remuneration: When Can Company Directors be Remunerated For Their Services?
- How to Remove a Director from a Company in Singapore
- Appointing Company Directors in Singapore: Eligibility, Process etc.
- Company Loans to Directors/Shareholders (& Vice Versa) in Singapore
- Share Transmission: What Happens If a Shareholder Dies in Singapore?
- Business Will: How to Pass on Your Business to Your Successors in Singapore
- Shareholder Rights in Singapore Private Companies
- Appointing a Company Secretary: Roles and Responsibilities
- Directors' Duties in Singapore
- Essential PDPA Compliance Guide for Singapore Businesses
- Cloud Storage of Personal Data: Your Business’ Data Protection Obligations
- How Can Companies Dispose of Documents Containing Personal Data?
- Here's a 7-Step Plan for Companies to Prevent Unauthorised Disclosure When Processing and Sending Personal Data
- Appointing a Data Protection Officer For Your Business: All You Need to Know
- Summary: Your Organisation's 9 Main Obligations under the Personal Data Protection Act
- Check the Do-Not-Call Registry Before Marketing to Singapore Phone Numbers
- GDPR Compliance in Singapore: Is it Required and How to Comply
- Is It Legal for Businesses to Ask for Your NRIC in Singapore?
- PDPA Consent Requirements: How Can Your Business Comply?
- Insolvency: Claw-back of Assets from Unfair Preference and Undervalue Transactions
- Striking Off a Company
- What Should a Creditor Do When a Company Becomes Insolvent?
- Dissolution of partnerships in Singapore
- Validation of Payments Made by Companies Being Wound Up
- Can a Company that Struck Itself Off the Register Later Apply to Restore Itself?
- Are You Closing Your Singapore Business? Have You Settled All of the Following?
- How to File a Proof of Debt against a Company in Liquidation
- Winding Up a Company