If you are still collecting your customer’s NRIC data, you probably haven’t heard of the new law that kicked in on 1st September 2019. The new law prohibits holding or making physical copies of NRICs and the collection of full NRIC numbers unless required by the law. According to the Personal Data Protection Commission, this law applies to birth certificate numbers, passport numbers, drivers’ license, foreign identification numbers and work permit numbers as well. Unless you are a government body, this new law will affect your business.
Singapore has significantly tightened the law on NRIC collection, use, disclosure and storage, however, in specified circumstances, you may still collect NRIC data. Under the Personal Data Protection Act (PDPA), such circumstances are referred to as “Permitted Situations”, which include:
- Situations where the collection, use, or disclosure is required by the law or is an exception under the PDPA. However, you should still ensure that you have done due diligence in ensuring that you have informed your customers of the purpose of collection, use, or disclosure.
- Situations where it is absolutely necessary to identify the individual to a high level of fidelity.
How do we determine when it is necessary? Generally, when a failure to identify an individual to a high degree of fidelity would pose a significant safety, security, financial, reputational, personal or proprietary risk, NRIC information would be deemed as necessary.
According to the SingaporeLegalAdvice.com, these situations are exceptions:
- When one is seeking treatment at a clinic (pursuant to the Private Hospitals and Medical Clinics Regulations);
- When one is checking into a hotel (pursuant to the Hotel Licensing Regulations);
- When subscribing to a mobile phone plan (pursuant to the Telecommunications Act);
- When receiving massage services at a massage establishment (pursuant to the Massage Establishments Rules);
- When enrolling into a private education institution (pursuant to the Private Education Regulations); or
- When an individual is a new employee joining an organisation (pursuant to the Employment Act)
Collection, use, disclosure versus retention
The law may cut you some slack when it comes to the collection, use, and disclosure of NRIC data if you manage to find a suitable justification. However, this is not the case with retention or storage of NRIC data. Under the new NRIC guidelines, you are only allowed to retain NRIC data only if it is required by the law. Even if you need NRIC data to accurately identify an individual to a high level of fidelity, you should dispose of the data once you have correctly identified that individual.
Therefore, you should take note that even if you are in the clear for collection, use and disclosure of NRIC data, you may not be able to fit the clause related to retention.
Can I request to look at the nric just to verify an individual’s identity?
You may be faced with a situation where you need to verify if you are dealing with the right person and may need to merely take a glance at the individual’s NRIC. In this case, if you have no intention of keeping or obtain control of the individual’s NRIC data, this will not count as a collection of personal data on the physical NRIC.
Check if your current business procedures or processes require the collection, use or disclosure of NRIC data. If yes, check if it is categorised as a “Permitted Situation”. If it is not a permitted situation, review if it is really necessary to identify your customers to a high degree of fidelity and ensure that you dispose of the NRIC information when it is no longer necessary for business or legal purposes.
“I am still collecting nric data. is it too late to change?”
Better late than never. If you are still collecting NRIC data for event registration or for other reasons, switch up your business processes before you get caught for flouting the PDPA, which could get you fined up to $1 million! Here some quick methods you can use to help you switch away from using NRIC data, yet, still provides the necessary amount of security:
- Tag your customers with a combination of identifiers (e.g. First Name + Last Name + D.O.B.)
- Collect only the last 3 digits and the alphabet of the NRIC (e.g. XXXXX123A)