From 1 September 2019, the Personal Data Protection Commission of Singapore ("the PDPC") has said that, as a starting point, organisations should not collect, use or disclose an individual's NRIC number, as well as the retention of physical NRICs, except when:-
- required under the law; or
- when it is necessary to verify the identity of the individual to a high degree of fidelity.
The same considerations will apply to: –
- Passport numbers and Passports
- Birth Certificates numbers and Birth Certificates
- Work Permit Numbers and Work Permits
- Foreign Identification Numbers ("FIN") and Work Passes.
All references to NRIC numbers and physical NRICs in this guide shall apply equally to the other identification numbers and documents.
Collection Required by Law
As a starting point, the PDPC has set out a non-exhaustive list of all common scenarios where private sector organisations may be required to collect an individual's NRIC or other national identification number under the law. The list, including the links, below are updated as at 27 August 2019
- This list is meant for general reference only. The contents of the list are not intended to be an authoritative statement of the position at law.
- An organisation may be able to justify collection on other grounds, so long as such a collection is nonetheless required by law.
- In the same vein, organisations should not retain the physical NRIC unless required by law.
Necessary to verify or establish the identity to a high degree of fidelity
The PDPC generally considers it necessary to accurately establish or verify the identities of individuals to a high degree of fidelity in the following scenarios: –
- where failure to accurately identify an individual would pose a significant safety or security risk, such as security checks for visitors;
- where inability to accurately identify an individual would pose a risk of significant harm to the individual or to the organisation, these relate more to transactions and claims of a medical nature or relating to financial aid or any equivalent.
However, these are merely illustrative examples, and the categories are non-exhaustive. The organisation must be able to justify the need for identification to a high degree of fidelity.
Even if there is justification to collect the NRIC number, the other provisions relating to the notification of purpose, and the obtaining of consent, and the use and disclosure to be consistent with the notified purposes under the PDPA must be complied with, subject to the exceptions in the PDPA.
Where possible, the organisation should consider using alternative or replacement identifiers. The PDPC has given some guidelines for choosing a replacement identifier instead of NRIC Numbers: –
- Should be easily remembered by the individual
- Should be unique to each individual
- Should not contain sensitive information
- Cannot be easily guessed by others
Organisations are encouraged to use replacement identifiers for their own purposes. NRIC numbers that are collected should only be used and or disclosed as required by law or where required to identify the individual to a high degree of fidelity.
The increased risks of misuse of NRIC numbers means that organisations are expected to provide a greater level of security and protection of NRIC numbers. This is consistent with the obligation to provide reasonable security arrangements under the PDPA. Similarly, organisations should remove NRIC numbers from their records once the purposes for which the NRIC numbers has been fulfilled, and that retention is no longer necessary for their business or legal purposes.
Our Intellectual Property and Technology team advises clients from start-ups to multinationals on the full range of data protection issues from the collection, use and processing of data for commercial purposes to the secure storage of data from unauthorised access. We focus on risk management solutions by providing practical insights into the practices.
Published: September 3, 2019
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.