Stricter rules on collection, use or disclosure of NRIC numbers from 1 September 2019
26 February 2019
With effect from 1 September 2019, organisations must not collect, use or disclose Singapore National Registration Identification Card (“NRIC”) numbers, among others, to comply with the “Advisory Guidelines on the Personal Data Protection Act for NRIC and Other National Identification Numbers” (“NRIC Advisory Guidelines”) issued by the Personal Data Protection Commission (“PDPC”) on 31 August 2018.
Application of NRIC Advisory Guidelines
The NRIC Advisory Guidelines will apply to the collection, use or disclosure of the following national identification numbers (“National IDs”):
- NRIC numbers
- Passport numbers
- Birth certification numbers
- Foreign identification numbers
- Work permit numbers
However, the NRIC Advisory Guidelines will not apply to the collection, use and disclosure of National IDs, including the retention of physical NRICs, where such collection, use and disclosure is carried out by a public agency or organisation acting on behalf of a public agency in Singapore (e.g. Government ministries, statutory boards and organs of State).
Key restrictions
Collection, use and disclosure of National IDs
Under the new NRIC Advisory Guidelines, organisations will generally not be allowed to collect, use or disclose National IDs, regardless of whether an organisation has obtained express consent from the relevant individuals to collect, use and/or disclose such National IDs relating to them.
However, an organisation may still collect, use or disclose National IDs in the following specified circumstances (“Permitted Situations”):
- Required under the law or an exception under the PDPA applies: Where the collection, use or disclosure of National IDs is required under the law or an exception under the PDPA applies (however, note that the organisation must still ensure that its conduct is reasonable in the circumstances). As good practice, organisations should still notify individuals of the purpose for collection, use or disclosure, as the case may be.
- Necessary to accurately establish or verify the identities of the relevant individuals to a high degree of fidelity: Where the collection, use or disclosure of National IDs is necessary to accurately establish or verify the identities of the relevant individuals to a high degree of fidelity. Generally, the regulators will consider it necessary to accurately establish or verify the identity of an individual to a high degree of fidelity where:
- a failure to accurately identify an individual to a high degree of fidelity may pose a significant safety or security risk (e.g. visitor’s entry to preschools where ensuring the safety and security of young children is an overriding concern); or
- the inability to accurately identify an individual to a high degree of fidelity may pose a risk of significant impact or harm (e.g. reputational, financial, personal or proprietary damage) to an individual and/or organisation. This is usually the case for transactions involving healthcare, financial or real estate matters (e.g. medical check-ups and reports, background credit checks with credit bureaus, insurance claims).
For completeness, the organisation should also be able to justify upon request by either the regulators or a relevant individual why the collection, use or disclosure of National IDs was necessary to accurately establish or verify the identity of the individual to a high degree of fidelity.
Retention of physical NRIC
Under the new NRIC Advisory Guidelines, organisations should also generally avoid retaining an individual’s physical NRIC unless the retention of the physical NRIC is required under the law.
In certain situations, an organisation may merely have sight of an individual’s physical NRIC and the information on it for verification purposes. Where there was no intention to obtain control or possession of the physical NRIC in checking the physical NRIC for the purpose of establishing or verifying the identity of the individual, and no personal data will be retained once the physical NRIC is returned immediately to the individual, this will not be considered a collection of personal data on the physical NRIC.
The treatment for retention of physical NRIC applies to other identification documents containing the NRIC numbers or other National IDs (e.g. driver’s licence, passport and work pass).
Alternatives to NRIC
Instead of National IDs, organisations may consider collecting one of the following alternatives to National IDs:
- Organisation or user-generated ID
- Organisation-issued QR code
- Combination of identifiers (e.g. first name + last name, initials + last name)
- Partial NRIC numbers up to the last 3 numerical digits and checksum of the NRIC number (e.g. “567A” from the full NRIC number of “S1234567A”)
The specific type of alternative adopted will depend on an organisation’s own business and operational needs.
Practical considerations
Organisations should consider whether their current procedures and processes involve the collection, use and/or disclosure of National IDs and if so, whether such collection, use and/or disclosure may continue (i.e. because one or more of the Permitted Situations apply).
Organisations should consider each instance of collection, use and/or disclosure. In our view, the fact that the organisation may in certain situations collect National IDs (e.g. an employer may collect National IDs of their employees) does not mean that the employer may subsequently, in circumstances outside the Permitted Situations, use the previously collected National IDs.
Furthermore, in our view, reasons for collection, use and/or disclosure such as “enabling convenience” or “record-keeping” do not always fall within the Permitted Situations.
Other consequential amendments and guidance issued
With the issuance of the NRIC Advisory Guidelines, Chapter 6 on NRIC Numbers was removed from the “Advisory Guidelines on the Personal Data Protection Act for Selected Topics”.
PDPC has also issued an accompanying Technical Guide to the NRIC Advisory Guidelines that provides organisations with tips for the replacement of such identifiers in their websites and other public-facing computer systems. To help organisations manage customer expectations during the transition period, PDPC has provided a template notice. A factsheet is also available to individuals.
Reference materials
The following materials are available from the PDPC website www.pdpc.gov.sg:
- Advisory Guidelines on the PDPA for NRIC and Other National Identification Numbers
- Technical Guide to Advisory Guidelines on the PDPA for NRIC and Other National Identification Numbers
- Template Notice for Collection of NRIC Numbers
- Factsheet: Protect Your NRIC Number