The Personal Data Protection Commission (PDPC) has reminded organizations that it would be unlawful to physically hold onto the PDPA NRIC and collect its full number unless required by legislation from Sept 1.
The guidelines under the PDPA NRIC apply to several types of documents, including birth certificates, foreign ID numbers, and work permit numbers.
The Commission proposed last year’s changes to the consultative guidelines following the excessive use of the PDPA NRIC.
Details about the NRIC were used in a range of situations-from lucky coupons and membership applications to customer registration retailers for parking reimbursements.
NRIC numbers are a permanent and irreplaceable identifier, provided primarily for public administrative purposes by the Singapore Government and intended to facilitate transactions with the government.
Given that NRIC numbers can be used to retrieve data on people, indiscriminate or unjustified collection and negligent handling of NRIC numbers must be reduced under a PDPC statement.
Organisations that have collected NRIC numbers were encouraged to assess whether these numbers are to be retained or not. The Commission likewise suggests that they dispose of these numbers according to PDPA guidelines.
The legislation already prohibits the indiscriminate collection of personal data of consumers and requires organisations to be responsible for its use.
But privacy advocates argued that companies sometimes collect NRIC details for frivolous reasons.
Only if they are legally required, for example, when subscribing to a new telephone line, making the doctor’s appointment or checking at a hotel, can NRIC numbers or copies be received or shared from Sunday.
NRIC details can also be collected when a person’s identity needs to be accurately checked.
Activities that may require verification of NRIC details are pre-school visits or transactions related to health, financial, or immobilization.
Organizations attempting to obtain, use, or communicate NRIC numbers indiscriminately would be violating PDPA and could be liable to a financial penalty of up to 1 million dollars.
One company that has modified its NRIC use is the security services company Prosegur Security, which in Singapore employs around 1.400 security officers.
In the past, some of the company’s customers had requested the NRIC to collect the full number or card, before visitors were able to enter their premises.
The company now tells its customers that such requests can not be made, and changes have been made to its SOPs.