Is It Legal for Businesses to Ask for Your NRIC in Singapore?
As reported in our Legal News article, with effect from 1 September 2019 it will be illegal for organisations to collect, use or disclose Singapore National Registration Identification Card (NRIC) numbers, or make copies of the NRIC.
This article aims to explain the new rules of collection, use and disclosure of the NRIC under the Personal Data Protection Act (PDPA), with special regard to an individual’s rights when organisations attempt to collect or retain your NRIC.
It will cover the following:
- What is an NRIC?
- Why were the new NRIC rules implemented?
- Exceptions to the new NRIC rules
- Can an organisation ask for my NRIC?
- What happens if an organisation asks to see my NRIC without collecting it?
- Can an organisation retain my NRIC?
- What are the alternatives to collecting my NRIC?
- What happens to my NRIC Number which organisations have collected so far?
- How can organisations ensure continued compliance with the PDPA?
- Do the new NRIC rules apply to other identification documents and numbers as well?
The NRIC is a card issued by the Singapore Government to every Singapore citizen and permanent resident within 1 year after he/she attains the age of 15 years.
Each card holds a unique NRIC number. Since the NRIC number of an individual can be used to identify that individual, it is therefore considered personal data under the PDPA.
The NRIC also contains other personal information such as one’s:
Why were the New NRIC Rules Implemented?
The new rules are targeted at restricting the types of situations in which organisations, such as commercial parties, may collect NRIC numbers and/or handle physical NRICs.
These rules were made with the recognition that the NRIC number is a permanent and irreplaceable identifier through which a large amount of an individual’s information can be unlocked.
As the new rules would prevent indiscriminate or negligent handling of the NRIC number and physical NRIC, there would be less room for unintended disclosure of NRIC numbers and other personal information to take place, minimising the risks of identity theft and fraudulent impersonation.
Exceptions to the New NRIC Rules
There are some exceptional situations in which organisations are permitted to obtain, use, or disclose NRIC numbers or copies of the NRIC.
1. Where required by law
The law requires that organisations collect an individual’s NRIC number or copies of the NRIC, whether for the purposes of verifying the individual’s identity or for maintaining records of the transaction, in specific situations.
These situations include:
- When one is seeking treatment at a clinic (pursuant to the Private Hospitals and Medical Clinics Regulations);
- When one is checking into a hotel (pursuant to the Hotel Licensing Regulations);
- When subscribing to a mobile phone plan (pursuant to the Telecommunications Act);
- When receiving massage services at a massage establishment (pursuant to the Massage Establishments Rules);
- When enrolling into a private education institution (pursuant to the Private Education Regulations); or
- When an individual is a new employee joining an organisation (pursuant to the Employment Act).
Additionally, there are rare situations in which organisations can collect, use, or disclose an individual’s NRIC number (or copy of NRIC) without the individual’s consent.
A key example would be emergency situations, where an individual’s life, health, or safety is under threat.
The Personal Data Protection Commission (PDPC) gives the example of an individual at a medical centre who becomes unconscious after sustaining a fall and requires urgent attention at a hospital.
In this case, the staff at the medical centre are permitted to provide the hospital with the individual’s personal data (including his name, NRIC number and medical allergies).
2. Where establishing and verifying an individual’s identity to a “high degree of fidelity” is required
NRIC numbers may be collected if it is necessary to accurately establish and verify an individual’s identity.
Such situations fall into 2 main categories:
- Where the failure to identify the individual to a high degree of fidelity (accurately or precisely) may pose a significant safety or security risk, for example:
- When a visitor is entering a pre-school, where it is important to ensure the safety and security of young children.
- Where the inability to accurately identify an individual to a high degree of fidelity may pose a risk of significant impact or harm to an individual and/or the organisation (e.g. fraudulent claims). Such situations include:
- Healthcare transactions;
- Financial transactions;
- Real estate transactions;
- Insurance applications and claims;
- Applications and disbursements of substantial financial aid;
- Background credit checks with credit bureau; and
- Medical check-ups and requests for medical reports.
For public agencies
It should be noted that the new NRIC rules under the PDPA, do not apply to transactions with Singapore public agencies (i.e. Government Ministries, Statutory Boards, and Organs of State).
Instead, data protection and data sharing requirements for public agencies are provided for by the Public Sector Governance Act (PSGA). The Act prescribes a separate set of standards for public agencies that is more stringent than the PDPA requirements.
For example, public agencies and their information security systems are subject to regular compulsory audits for compliance with data protection requirements.
The Government has also implemented other data protection measures, such as internet surfing separation on government systems, which are not required of private organisations governed by the PDPA.
Under the PSGA, a public servant who falls afoul of the rules by disclosing protected information without authorisation or by misusing such information could be found guilty of a criminal offence (punishable by a fine or jail term).
Can an Organisation Ask for My NRIC?
As mentioned above, from 1 September 2019, it will be illegal for organisations such as businesses to collect, use, or disclose NRIC numbers of individuals, or to make copies of the NRIC.
Additionally, it will be illegal for organisations to physically hold on to a person’s NRIC, unless this is permitted by the law.
Some situations in which it will no longer be possible for organisations to request for your NRIC number or make copies of the physical card include:
- Participation in a lucky draw
- Purchase of movie tickets
- Redemption of free parking coupons
- Signing up for retail membership
- Submitting feedback for a product or service
- Online purchases
What Happens If an Organisation Asks to See My NRIC Without Collecting It?
In some cases, an organisation may request to merely see an individual’s physical NRIC to verify his or her identity. This is allowed so long as the organisation does not retain any personal information and returns the NRIC immediately.
For example, a business is permitted to request to see an individual’s NRIC for age-restricted purchases such as the purchase of alcohol or tobacco, or when the individual is seeking to enter a club or casino.
Can an Organisation Retain My NRIC?
Organisations are also not allowed to retain an individual’s physical NRIC.
This includes bike rental companies (who may want to retain the NRIC as collateral to ensure that individuals return rented bicycles) and security guards at condominiums (who may want to retain the NRIC to establish the identities of visitors and ensure safety of the estate).
What are the Alternatives to Collecting My NRIC?
If the situation in which the organisation asks for your NRIC is not one for which the law allows them to do so, (E.g. entering a lucky draw or seeking to redeem a prize), it would be wise to offer other identification data instead.
For example, you may disclose your partial NRIC number (i.e. last 3 numerical digits and letter) or mobile number.
Why is the disclosure of partial NRIC number allowed?
The risks associated with the disclosure of NRIC number (such as an identity theft as mentioned above) are lower when only the partial NRIC number is collected.
Therefore, collection of the partial NRIC number is not subject to the new rules which restrict collection of the full NRIC number.
Nonetheless, the partial NRIC number is considered personal data under the PDPA as it can still identify the individual, especially if the organisation carries other information relating to the individual.
Hence, organisations that collect partial NRIC numbers must still abide by the Data Protection Provisions of the PDPA. This requires that reasonable security arrangements be made to ensure that the information is secure against unauthorised disclosure.
Suitable alternatives in specified instances
The PDPC has suggested that alternative pieces of information be employed by organisations to verify individuals’ identities in specific instances, for example:
- For redemption of free parking: the partial NRIC number, vehicle registration number or mobile phone number;
- For online purchase of movie tickets: the cinema operator can issue customers a booking reference number or make use of SMS verification;
- For retail membership sign-ups and lucky draws: the full name, partial NRIC numbers, mobile numbers, email addresses, or mailing addresses of customers;
- For submission of product feedback: individuals’ full names and contact details;
- To establish visitors’ identities at private condominiums: the visitors’ full names, partial NRIC numbers, contact details, or vehicle registration numbers;
- For bike rental: in place of temporary retention of the physical NRIC, bike rental companies may collect other forms of collateral, such as a reasonable monetary deposit.
Organisations may also make use of the following to identify an individual:
What Happens to My NRIC Number which Organisations have Collected So Far?
Organisations must consider if retention is necessary, and if not, dispose of your NRIC information responsibly.
Before the new rules take effect on 1 September 2019, the PDPC encourages organisations that have already collected NRIC numbers to consider if retention of these numbers is necessary.
Retention is unnecessary if the purpose for which the personal data was collected is no longer served by the retention of the personal data, or retention is no longer necessary for business or legal purposes.
If retention is assessed to be unnecessary, organisations should dispose of the information responsibly in accordance with PDPA disposal methods before the new rules kick in.
Retention may be unnecessary where, for example, an individual’s NRIC number was collected for the purpose of identification when he entered into a lucky draw, but the lucky draw has long since concluded and the winners have been identified and contacted.
In this case, there is no longer a need for the business to possess the individual’s NRIC number. Accordingly, the business should dispose of the NRIC information.
Organisations must ensure that your NRIC information is securely stored
Should organisations choose to retain their collection of NRIC numbers, they must ensure sufficient protection of the information, or anonymise the information such that NRIC numbers cannot be linked with particular individuals.
Organisations may notify you on what is being done to protect your NRIC information
Organisations have been encouraged to notify their clients and other stakeholders on their plans in respect of NRIC information already collected. They may use this notification template provided by the PDPC.
How can Organisations Ensure Continued Compliance with the PDPA?
Going forward, organisations permitted to collect NRIC information have to comply with the Data Protection Provisions under the PDPA.
They must make reasonable security arrangements to protect the NRIC information, such as by employing technology to ensure secure storage of data.
Do the New NRIC Rules Apply to Other Identification Documents and Numbers as well?
The rules restricting the collection, use, or disclosure of NRIC information also apply to other documents containing one’s NRIC number, such as:
- Driver’s licences; and
- Work passes.
The new rules are similarly covered under other national identification numbers such as:
- Birth certificate numbers;
- Foreign Identification numbers (FIN); and
- Work Permit numbers.
The risks of identity theft and fraud are not to be taken lightly.
Therefore, when asked to disclose sensitive personal information such as your NRIC number, always check if the situation at hand is one that requires such disclosure.
If you represent an organisation, do be mindful of the new rules, and work with your data protection officer to take the necessary steps to ensure compliance.
If in doubt, speak to a data protection lawyer.
- Appointing Company Directors in Singapore: Eligibility, Process etc.
- Managing Director vs CEO in Singapore: Roles and Obligations
- Guide to Directors' Remuneration in Singapore
- Directors' Duties in Singapore
- Shadow Directors: Who are They and What Duties Do They Owe to the Company?
- How to Remove a Director from a Company in Singapore
- Removal and Resignation of Company Auditor in Singapore
- Appointing a Company Secretary: Roles and Responsibilities
- Appointing an Authorised Representative for Foreign Companies in Singapore
- Process Agents in Singapore
- 2 Ways to Remove a Singapore Company Shareholder ASAP
- Guide to Paid-Up Capital in Singapore (Is $1 Enough?)
- Preparing a Register of Shareholders for a Singapore Company
- How to Issue Shares in a Singapore Private Company
- Guide to Transferring Shares in a Singapore Private Company
- Your Guide to Share Certificates in Singapore: Usage and How to Prepare
- Shareholder Rights in Singapore Private Companies
- Shareholder Roles and Obligations in Singapore Companies
- Dividend Payments Guide for Singapore Business Owners
- Share Transmission: What Happens If a Shareholder Dies in Singapore?
- How to Reduce the Share Capital of Your Singapore Company
- Buy-Sell Agreements: How to Write & Fund Them in Singapore
- Oppression of Minority Shareholders
- Essential Regulatory Compliance Guide for Singapore Companies
- Dormant Companies and Their Filing Obligations in Singapore
- Anti-Money Laundering Regulations and Your Business: What You Need to Know
- Price-Fixing, Bid-Rigging and Other Anti-Competitive Practices to Avoid
- Legally Conducting Lucky Draws for Singapore Businesses
- Restaurant Inspection and Food Safety Rules in Singapore
- Does Your Company Need a Legal Team (In-House Counsel)?
- Acqui-Hiring of Singapore Companies: How Does It Work?
- How to Change the Name of Your Singapore Company
- Can Directors be Liable for Company Debts in Singapore?
- Company Loans to Directors/Shareholders in Singapore
- 3 Types of Insurance Every Singapore Business Needs
- Creating and Registering Charges in Singapore: Guide for Companies
- Guide to Effective Business Continuity Planning in Singapore
- Business Asset Sale & Disposal in Singapore: How Do They Work?
- Business Partnership Disputes in Singapore: How to Resolve
- How to Commence a Derivative Action on Behalf of a Company in Singapore
- Business Will: How to Pass on Your Business to Your Successors in Singapore
- Record-Keeping Requirements for Singapore Companies
- Company Constitutions in Singapore and How to Draft One
- Company Memorandum and Articles of Association
- Company Resolutions: What are They?
- Board Resolutions in Singapore
- Minutes of Company Meeting in Singapore: How to Record
- How to Set Up a Register of Controllers
- How to Set Up a Register of Nominee Directors
- Guide to Filing Financial Statements for Singapore Business Owners
- Filing Annual Returns For Your Business
- Singapore Corporate Tax: How to Pay, Tax Rate, Exemptions
- Start-Up Tax Exemption Guide for New Singapore Companies
- GST Registration: Requirements and Procedure in Singapore
- What is Withholding Tax and When to Pay It in Singapore
- Singapore Influencers: Here's How to Calculate Your Income Tax
- Tax Investigation of Tax-Evading Business Owners in Singapore
- Small Business Accounting Services in Singapore
- Company Audits in Singapore: Requirements and Exemptions
- Suspect a PDPA Data Breach? Here's What to Do Next
- Must You Notify PDPC About a Data Breach in Your Business?
- Summary: Your Organisation's 10 Main PDPA Obligations
- Essential PDPA Compliance Guide for Singapore Businesses
- PDPA Consent Requirements: How Can Your Business Comply?
- Is It Legal for Businesses to Ask for Your NRIC in Singapore?
- Here's a 7-Step Plan for Companies to Prevent Unauthorised Disclosure When Processing and Sending Personal Data
- Cloud Storage of Personal Data: Your Business’ Data Protection Obligations
- GDPR Compliance in Singapore: Is it Required and How to Comply
- Appointing a Data Protection Officer For Your Business: All You Need to Know
- How Can Companies Dispose of Documents Containing Personal Data?
- Check the Do-Not-Call Registry Before Marketing to Singapore Phone Numbers
- How to Legally Install CCTVs for Home/Business Use in Singapore
- Is Web Scraping or Crawling Legal in Singapore?
- Legal Options If Employees Breach Confidentiality in Singapore
- Your Guide to E-commerce Website Terms of Service in Singapore
- Dealing with Defamation of Your Business: Can You Sue?
- Sending Email Newsletters That Comply With Singapore Law
- A legal guide to drafting a social media policy for your company
- Your Guide to a Media Release Form in Singapore
- Your Guide to an Influencer Marketing Agreement in Singapore
- Outdoor Advertising: How to Legally Display Public Ads in Singapore
- Should You Save or Close Your Zombie Company in Singapore?
- Voluntary Suspension of Business in Singapore: How to Handle
- Winding Up a Singapore Company: Grounds and Procedure
- Closing Your Singapore Business: What You Need to Settle
- Striking Off a Company
- Can a Company that Struck Itself Off the Register Later Apply to Restore Itself?
- Dissolution of partnerships in Singapore
- What Should a Creditor Do When a Company Becomes Insolvent?
- How to File a Proof of Debt Against a Company in Liquidation
- Validation of Payments Made by Companies Being Wound Up