SINGAPORE: Organisations in Singapore will have to stop the practice of indiscriminate harvesting of people’s NRIC details from Sep 1 next year.
The Personal Data Protection Commission (PDPC) on Friday (Aug 31) issued its enhanced advisory guidelines following the close of the public consultation last December.
AdvertisementIt said that under the updated guidelines, organisations can collect, use or disclose NRIC numbers or copies of the NRIC only under certain specific circumstances.
First, if they are required by the law or deemed necessary to accurately verify one’s identity to a “high degree of fidelity”, the PDPC said in its press release.
(Infographic: PDPC)
For example, a telco will continue to be allowed to keep a record or scanned copy of subscribers’ NRICs, as it is legally required to maintain a register of customers, the agency explained.
The second exception is when failing to provide NRIC details could pose a significant safety or security risk, or may pose a risk of significant impact or harm to an individual and the organisation, it added.
AdvertisementAdvertisementThese could be transactions relating to healthcare or real estate matters like insurance applications and claims.
Another example of this exception would be when stores that sell cigarettes have to ask consumers for their NRIC to verify that they meet the minimum legal age for buying the product, PDPC said.
It did add that organisations should be able to justify why they are collecting NRIC numbers when asked by individuals or the PDPC.
“The NRIC number is a permanent and irreplaceable identifier which can be used to unlock large amounts of information relating to an individual,” the data privacy watchdog said.
“In today’s digital economy, indiscriminate collection or negligent handling of NRIC numbers can increase the risk of unintended disclosure and may result in NRIC numbers being used for illegal activities such as identity theft or fraud.”
This same treatment applies to birth certificate numbers, foreign identification numbers and work permit numbers. As for passport numbers, even though they are periodically changed, organisations should avoid collecting the full numbers unless justified, it said.
The updated guidelines do not apply to a public agency or an organisation acting on its behalf though.
A Smart Nation and Digital Government Office (SNDGO) spokesperson told Channel NewsAsia that the Government, as the issuing authority for the NRIC, “rightfully uses the NRIC to discharge its functions and services with citizens in a secure manner”.
It will review its processes to ensure public agencies limit the use of NRIC numbers, and the retention of physical NRICs, to transactions where such use is required by law or is necessary to accurately establish people’s identities, the spokesperson said.
“As we improve the use of data to serve citizens and businesses, the Government will ensure that our data protection measures continue to be on par, if not better, than best practices in the private sector,” added the spokesperson.
MAKING THE CHANGE
To help ease the transition for organisations here, especially for smaller businesses, PDPC said it will work with the Info-communications Media Development Authority (IMDA) to do the following:
Other examples could be the use of mobile phone numbers or the use of parts of the NRIC, like the last three digits and the last alphabet.
There are 22 pre-approved technology solutions identified for organisations to turn to as they embark on the necessary changes.
For companies worried about the financial outlay of adopting these solutions, IMDA said they can apply for the Productivity Solutions Grant to help defray the costs.
And there are business benefits to be reaped for companies who view this requirement as a competitive advantage, rather than a compliance cost.
Mr Yeong Zee Kin, deputy commissioner at PDPC, said: "If there's no need to hang on to NRIC data, then keeping it actually introduces additional risk” as he warned that the data could potentially be hacked and the organisations liable for any leaked information.
Beyond the updated guidelines, PDPC said a mindset change is needed to better safeguard personal data.
"Old practices introduced back in the pen-and-paper days needs to be revised ... to be more sophisticated and digitally secure,” Mr Yeong explained.
He also said it’s not just organisations that need to change, but consumers too.
Responding to an example brought up by Channel NewsAsia about contests found on AXS machines requiring people to sign up using their NRIC numbers to stand a chance to win a car, Mr Yeong said: “Consumers also need to ask if they want to give such data for a chance to win a car.”
“All parties need to play a part,” he added.
Let's block ads! (Why?)
More...
The Personal Data Protection Commission (PDPC) on Friday (Aug 31) issued its enhanced advisory guidelines following the close of the public consultation last December.
AdvertisementIt said that under the updated guidelines, organisations can collect, use or disclose NRIC numbers or copies of the NRIC only under certain specific circumstances.
First, if they are required by the law or deemed necessary to accurately verify one’s identity to a “high degree of fidelity”, the PDPC said in its press release.
For example, a telco will continue to be allowed to keep a record or scanned copy of subscribers’ NRICs, as it is legally required to maintain a register of customers, the agency explained.
The second exception is when failing to provide NRIC details could pose a significant safety or security risk, or may pose a risk of significant impact or harm to an individual and the organisation, it added.
AdvertisementAdvertisementThese could be transactions relating to healthcare or real estate matters like insurance applications and claims.
Another example of this exception would be when stores that sell cigarettes have to ask consumers for their NRIC to verify that they meet the minimum legal age for buying the product, PDPC said.
It did add that organisations should be able to justify why they are collecting NRIC numbers when asked by individuals or the PDPC.
“The NRIC number is a permanent and irreplaceable identifier which can be used to unlock large amounts of information relating to an individual,” the data privacy watchdog said.
“In today’s digital economy, indiscriminate collection or negligent handling of NRIC numbers can increase the risk of unintended disclosure and may result in NRIC numbers being used for illegal activities such as identity theft or fraud.”
This same treatment applies to birth certificate numbers, foreign identification numbers and work permit numbers. As for passport numbers, even though they are periodically changed, organisations should avoid collecting the full numbers unless justified, it said.
The updated guidelines do not apply to a public agency or an organisation acting on its behalf though.
A Smart Nation and Digital Government Office (SNDGO) spokesperson told Channel NewsAsia that the Government, as the issuing authority for the NRIC, “rightfully uses the NRIC to discharge its functions and services with citizens in a secure manner”.
It will review its processes to ensure public agencies limit the use of NRIC numbers, and the retention of physical NRICs, to transactions where such use is required by law or is necessary to accurately establish people’s identities, the spokesperson said.
“As we improve the use of data to serve citizens and businesses, the Government will ensure that our data protection measures continue to be on par, if not better, than best practices in the private sector,” added the spokesperson.
MAKING THE CHANGE
To help ease the transition for organisations here, especially for smaller businesses, PDPC said it will work with the Info-communications Media Development Authority (IMDA) to do the following:
- Publish a technical guide that would provide organisations with information on how they can replace NRIC numbers with alternative identifiers for websites and public-facing computer systems
- Identify pre-approved technology solutions for them to adopt
- Develop template notices that organisations can use to manage customer expectations during the transition period
Other examples could be the use of mobile phone numbers or the use of parts of the NRIC, like the last three digits and the last alphabet.
There are 22 pre-approved technology solutions identified for organisations to turn to as they embark on the necessary changes.
For companies worried about the financial outlay of adopting these solutions, IMDA said they can apply for the Productivity Solutions Grant to help defray the costs.
And there are business benefits to be reaped for companies who view this requirement as a competitive advantage, rather than a compliance cost.
Mr Yeong Zee Kin, deputy commissioner at PDPC, said: "If there's no need to hang on to NRIC data, then keeping it actually introduces additional risk” as he warned that the data could potentially be hacked and the organisations liable for any leaked information.
Beyond the updated guidelines, PDPC said a mindset change is needed to better safeguard personal data.
"Old practices introduced back in the pen-and-paper days needs to be revised ... to be more sophisticated and digitally secure,” Mr Yeong explained.
He also said it’s not just organisations that need to change, but consumers too.
Responding to an example brought up by Channel NewsAsia about contests found on AXS machines requiring people to sign up using their NRIC numbers to stand a chance to win a car, Mr Yeong said: “Consumers also need to ask if they want to give such data for a chance to win a car.”
“All parties need to play a part,” he added.
Let's block ads! (Why?)
More...