We thank Mr Sherman Goh Keng Hwee for his feedback (Should firms be allowed to make copies of IC, credit cards?; March 20).
In general, organisations should not, as a condition of providing a product or service, require an individual to consent to the collection, use and disclosure of his personal data beyond what is reasonable to provide him the product or service.
Organisations that require photocopies of identity cards or credit cards will need to justify that their requests are reasonable.
The retention of an individual's physical NRIC, or a copy of it, may result in an over-collection of personal data required by the organisation as the card contains not only the individual's NRIC number, but also other personal data such as the individual's full name, photograph, thumbprint and residential address.
The same risk of over-collection of personal data arises for copies of credit cards.
Organisations should consider whether there are alternative ways to address their requirements and put in place security arrangements to safeguard the personal data in their possession.
The Personal Data Protection Commission (PDPC) is reviewing its guidelines to organisations on the collection, use and disclosure of copies of NRICs and NRIC numbers, with the intent of protecting individuals from any indiscriminate or unreasonable collection, use and disclosure of such information.
At the same time, the PDPC is mindful that organisations may require time to review existing business practices before implementing the necessary changes, and a "sunrise" period will be provided before the guidelines take effect.
The PDPC will provide further details when it issues the finalised guidelines by the middle of this year.
Evelyn Goh (Ms)
Director Communications and Policy
Personal Data Protection Commission