On 31 August 2018, we published our article on ‘Essential PDPA Compliance Guide for Singapore Businesses’. In it, we define ‘personal data’ and mention that an NRIC number is an example of personal data.
On the same day, the Personal Data Protection Commission (PDPC) published new guidelines on NRIC and other national identification numbers, that will be effective on 1 September 2019.
These guidelines attracted media attention that focussed on the highlights in them. Here, we will provide information about some of the important details for Singapore businesses to be aware of for compliance with the new guidelines.
Why is the PDPC Implementing New Guidelines on NRIC Numbers?
The reason why the PDPC puts special emphasis on NRIC numbers is because they are permanent and irreplaceable identifiers that can potentially be used to unlock large amounts of information relating to individuals.
What Should Businesses be Aware of in Relation to the New PDPC Guidelines?
1. The New Guidelines Apply to All Identification Numbers and Copies Thereof
The first thing to know is that the new PDPC guidelines are not only about the collection of NRIC numbers. They also apply to the collection of:
- Physical NRICs;
- Birth Certificate numbers, Foreign Identification Numbers (FINs) and Work Permit (WP) numbers, which the guidelines refer to, collectively, as ‘national identification numbers’; and
- Other identification documents, such as a Singapore driver’s licence, that include the relevant individual’s NRIC number as well.
2. When Can Organisations Collect, Use or Disclose NRIC Numbers?
The starting point in the new PDPC guidelines is that organisations are generally not allowed to collect, use or disclose NRIC numbers (or copies of NRICs) or other national identification numbers. There are exceptions to this rule where:
- An organisation is a public agency (such as a Government Ministry or a statutory board) or is acting on behalf of a public agency
- Collection, use or disclosure of an NRIC number (or a copy of an NRIC) is required under the law or an exception to the PDPA applies
- Collection, use or disclosure of an NRIC number (or a copy of an NRIC) is necessary to accurately establish or verify the identities of the individuals to a high degree of fidelity.
In its guidelines, the PDPC gives various examples of situations where collection, use or disclosure of an NRIC number (or a copy of an NRIC) is required by law.
It also says that situations where it is necessary to accurately establish or verify the identities of individuals typically relate to matters on:
- Healthcare (e.g. medical check-ups and reports);
- Financial (e.g. insurance applications and claims, applications for and disbursements of substantial financial aid, and background credit checks with credit bureaus); and
- Real estate (e.g. property transactions)
3. Continued Compliance with the PDPA Obligations
The guidelines also remind organisations that they must continue to comply with the 9 data protection obligations in the PDPA. They place particular emphasis on the retention limitation obligation in connection with NRICs and other national identification numbers.
4. Alternatives to Collecting NRIC Numbers
The guidelines set out alternatives to collecting NRIC numbers. Alternatives are also considered quite extensively in the Technical Guide that the PDPC has issued in connection with NRIC numbers and other national identification numbers.
5. Notify Individuals on What Happens to their NRIC Numbers in the Future
Finally, the PDPC has provided a template that organisations may use to notify their customers or other stakeholders about what they plan to do about NRIC numbers and other national identification numbers in the future.