Singapore Data Privacy Laws: Are You Collecting NRIC Data?
It is illegal for private sector organisations to collect, use or disclose national identification numbers (unless required by law). What can you do to protect your organisation?
On 31 August 2018, the Personal Data Protection Commission Singapore (PDPC) issued Advisory Guidelines on the Personal Data Protection Act ('PDPA') for the National Registration Identification Card (NRIC) and other National Identification Numbers (the Guidelines). The Guidelines were implemented on 1 September 2019, and could mean that organisations may face financial penalties of up to SGD one million for non-compliance of obligations under the PDPA.
Under the Guidelines, private sector organisations are not allowed to collect, use or disclose national identification numbers unless strictly necessary. National identification numbers may only be collected in instances when it is necessary to accurately identify you to a high degree of fidelity or when the law requires individuals to provide full national identification numbers, such as when checking into a hotel, or in relation to healthcare matters. Organisations that are allowed to collect national identification numbers and/or documents must “ensure that adequate security protection measures are in place to safeguard the personal data in their possession or under their control.” If not required by law and strictly necessary, organisations are to use alternative identifiers, such as particial national identification numbers (up to the last three digits and letter), user-generated IDs, and more.
The Guidelines also state that organisations should not retain individuals’ physical identification documents containing national identification numbers (unless required by law). Aon encourages organisations who are unsure how the Guidelines affect them, or whether exemptions apply, to seek legal advice.
Why Does it Matter?
The PDPC released the Guidelines in an attempt to control the “indiscriminate or unjustified collection and negligent handling” of permanent identification numbers. Following a global trend, governing bodies are cracking down on the unnecessary collection of such information, often used in Singapore for matters like applying for retail memberships and when entering private condominiums or office buildings. The PDPC highlighted the need to control the collection of such information especially since national identification numbers are permanently tied to an individual throughout their lifetime and can be used to retrieve individual and private data.
What Can I Do to Protect My Organisation?
- Review your organisation’s policies and processes regarding the collection and storage of NRIC details
- If NRIC data is captured, review the PDPC’s list of laws which require or allow private sector organisations to collect NRIC data to determine whether your organisation is exempted
- If NRIC data is captured and there is no legal justification or any other applicable justification, immediately revise policies and processes to comply with the Guidelines
- If you are unsure about how the Guidelines apply to your organisation, seek legal advice
- Secure a cyber insurance policy. In addition to providing cover for first party expenses arising from cyber incidents, cover for business interruption and ransomware losses and liability to third parties, a best-in-class policy can provide cover for the costs associated with PDPC investigations.