Sunday, 2 September 2018

Collecting NRIC numbers and making copies of the identity card will be illegal from 1 September 2019

Stricter rules to protect NRIC data from next Sept
Collecting, using or disclosing numbers, or making copies of card, will be against the law
By Hariz Baharudin, The Straits Times, 1 Sep 2018

From Sept 1 next year, it will be illegal for organisations to collect, use or disclose the NRIC numbers of individuals or make copies of the card, under stricter rules by the Personal Data Protection Commission (PDPC).

The privacy watchdog also warned companies that unless required by law, it will be illegal to physically hold on to a person's NRIC.

In a media statement yesterday, it said: "In today's digital economy, indiscriminate collection or negligent handling of NRIC numbers can increase the risk of unintended disclosure and may result in NRIC numbers being used for illegal activities such as identity theft or fraud." It added that such risks arise as the NRIC number is a permanent and irreplaceable identifier.

The commission has stuck to its proposed guidelines - which went up for public consultation from November to December last year - in introducing the stricter rules.


NRIC numbers or copies of the NRIC can be obtained or shared, however, if they are required by law, such as when subscribing to a new phone line, making a doctor's appointment or checking into a hotel.

NRIC details may also be collected when it is necessary to precisely verify an individual's identity "to a high degree of fidelity", such as for transactions involving healthcare, financial or real estate matters, and when not getting it could risk security or could cause significant harm.

In such cases, organisations must ensure they have adequate protection measures in place for the data that are compliant with the Personal Data Protection Act (PDPA).

Organisations can be fined up to $1 million for flouting the Act.

The updated guidelines do not apply to the Government or any public agency or organisation that is acting on its behalf.

A Smart Nation and Digital Government Office spokesman told The Straits Times that the Government is the issuing authority for the NRIC, and it rightfully uses it to "discharge its functions and services with citizens in a secure manner".

But the spokesman added that "the Government will review its processes to ensure that public agencies limit the use of NRIC numbers, and the retention of physical NRICs, to transactions where such use is required by law or is necessary to accurately establish the identities of individuals".

Private organisations that have collected NRIC numbers are encouraged to assess the need to retain these numbers and, if not, should dispose of them responsibly and in compliance with PDPA disposal methods by next year.

Those that decide to keep their collection must ensure there is adequate protection, or can choose to anonymise the data.

The updated rules for NRIC numbers also apply to other national identification numbers, including the driver's licence. Although passports are replaced periodically, the commission said that organisations should avoid collecting the full passport numbers of individuals as well, unless justified.

The commission also said that partial NRIC numbers are still considered personal data under the Act, as it could allow an individual to be identified.

It reiterated that organisations that collect partial NRIC numbers - of up to the last three digits and letter - must still comply with the Act's Data Protection Provisions, and must take steps to ensure this data is secured and not disclosed.

The commission suggested alternative identifiers such as organisation or user-generated IDs, tracking numbers or organisation-issued QR codes.

Together with the Infocomm Media Development Authority (IMDA), the PDPC will help organisations adjust by publishing a technical guide on replacing the NRIC number with alternative identifiers.

The commission and IMDA will identify pre-approved technology solutions that companies can take up. They will also develop template notices that organisations can use to manage customer expectations during the transition period.








AskST: Stricter PDPA guidelines on NRIC - how will it affect you?
The Straits Times, 1 Sep 2018

From Sept 1 next year, it will be illegal for organisations to collect, use or disclose NRIC numbers or make copies of the identity card under stricter rules spelt out yesterday by the Personal Data Protection Commission. Here is what you need to know.

Q How will this affect me?

A From Sept 1 next year, you will no longer have to give up your NRIC number or card, except in certain special cases.


Q In what situations do I not have to give my NRIC number or card?

A Unless required by law or when it is necessary to accurately identify you, you do not need to supply them. This includes applying for retail memberships, signing up for contests or lucky draws, renting a bicycle, purchasing movie tickets online or completing survey forms. You should also not furnish your NRIC or its details when entering the premises of a condominium or using a computer at an Internet cafe.



Q What are the situations in which I will be compelled to release my NRIC information?

A You will have to provide the information when the law requires it. This includes seeking medical treatment at a general practitioner clinic, which is required under the Private Hospitals and Medical Clinics Regulations. Another instance is when you are checking into a hotel as the information is required under the Hotel Licensing Regulations. Subscribing to a phone line also requires you to give your NRIC details under the Telecommunications Act.

You can also be asked to furnish your NRIC details when the inability to accurately identify you could cause significant harm. For instance, transactions related to property or healthcare matters, as in the case of insurance applications and claims.


Q What about showing my NRIC for purchases with an age restriction, like tobacco or alcohol, or showing it to verify my identity?

A This is allowed. In such cases, the mere sight of an individual's physical NRIC and information is needed for verification purposes. It is permitted as long as there is no intention to obtain control or possession of the physical NRIC and if no personal data is retained once the NRIC is returned immediately.


Q Does this apply only to the NRIC?

A These stricter rules also apply to cards that have your NRIC number on them, like a driver's licence. The same treatment applies for national identification numbers like birth certificate numbers, foreign identification numbers and work permit numbers. While passport numbers are periodically replaced, organisations should avoid collecting the full passport numbers of individuals as well unless justified.



Q What other alternatives could replace the NRIC for identification purposes?

A Alternatives may include organisation or user-generated IDs, tracking numbers or organisation-issued QR codes, as well as partial NRIC details of up to the last three digits and letter.


Q Will I still be asked for my NRIC details for access to government services and premises?

A Yes. The Advisory Guidelines on NRIC do not apply to the Government. The NRIC number is a unique identifier assigned by the Government to each Singapore resident that is often used for transactions with the Government. As the issuing authority for the NRIC, the Government rightfully uses the NRIC to discharge its functions and services with citizens in a secure manner.












Experts, consumers back stricter NRIC data rules
Misuse of data poses the risk of identity theft and fraud, they say
By Hariz Baharudin, The Straits Times, 1 Sep 2018

The updated guidelines for the collection, use and disclosure of NRIC details address the danger that its misuse could result in crimes such as fraud and identity theft, said experts and consumers.

The Personal Data Protection Commission (PDPC) yesterday announced that from Sept 1 next year, organisations will no longer be allowed to collect, use or disclose NRIC numbers, or make copies of the NRIC, except when required by law or in cases where an individual's precise verification is needed.

Unless required by law, holding on to an individual's physical NRIC will also be illegal.

Mr Bryan Tan, a lawyer from Pinsent Masons MPillay specialising in technology law and data protection, said that NRIC numbers are unique and they are a permanent identifier for Singaporeans. That makes it attractive for people to collect and misuse.

He said: "These measures are a long time coming. The NRIC number sticks with you for a lifetime. There are so many people out there who will want to collect it, and it is risky if the numbers are used without your consent."

Singapore Business Federation chairman Teo Siong Seng said the NRIC can be a gateway to more information that individuals might not want to disclose, which makes it important that the information is not collected or retained unnecessarily.

With an NRIC number, a hacker can unlock vast amounts of personal information, including income details, residential address, medical status, and property and vehicle ownership.

Consumers also welcomed the stricter rules to protect their data.

Mr Samuel Lee, a 27-year-old freelancer, said: "It is good that the days of having to give my NRIC when I rent a bicycle or play games at an Internet cafe will be over.

"Having others hold on to it always made me feel uneasy be-cause my NRIC number can access my SingPass and other kinds of information."

However some, like Mr Thomas Fernandez, council member of the Association of Small and Medium Enterprises, said the one year that businesses have to comply with the stricter guidelines might be too short.

While he agreed that the updated rules will help protect consumers' privacy, he said: "The SMEs and micro-SMEs will definitely have a lot of problems to understand the law and find solutions for it.

"They have more things to keep in mind to keep the business running. They might also need help to understand these laws and be guided on what to do."

In a media release yesterday, the PDPC said it will, together with the Infocomm Media Development Authority, help organisations adjust by publishing a technical guide on replacing the NRIC number with alternative identifiers.

Alternatives may include organisation or user-generated IDs, tracking numbers or organisation-issued QR codes, as well as partial NRIC details of up to the last three digits and letter. The two groups will also identify pre-approved technology solutions that companies can take up and develop template notices that can be used to educate customers.

Mr Tan said that although some businesses might have problems adjusting, one year is long enough.

What is needed, he added, is a mindset change surrounding the collection of NRIC numbers. "For most other laws, you do not get this much time to comply. People have to change the habit of collecting and keeping NRIC numbers 'just in case'," he said.








No comments:

Post a Comment