SINGAPORE - From Sept 1 next year, it will be illegal for organisations to collect, use or disclose NRIC numbers or make copies of the identity card, under stricter rules spelt out on Friday (Aug 31) by the Personal Data Protection Commission.
For years, places like shopping malls have collected NRIC numbers when registering customers for lucky draws and memberships or even to track parking redemptions.
But the updated rules mean organisations will no longer be allowed to do that.
Organisations that have collected NRIC numbers are also encouraged to assess if they need to retain these numbers, and if not, are suggested to dispose of them responsibly and in compliance with Personal Data Protection Act (PDPA) disposal methods by next year.
Organisations which decide to keep their collection must ensure there is adequate protection. They can also choose to anonymise the NRIC. This follows updates to the rules for such collection under the PDPA, which went fully into force in July 2014.
"In today's digital economy, indiscriminate collection or negligent handling of NRIC numbers can increase the risk of unintended disclosure and may result in NRIC numbers being used for illegal activities such as identity theft or fraud," the commission said in a release on Friday (Aug 31).
It added that such risks arise as the NRIC number is a permanent and irreplaceable identifier.
Companies were also warned that unless required by the law, physically holding on to an individual's NRIC will not be allowed as well from Sept 1.
Although the Act already prohibits the indiscriminate collection of consumers' personal data, and requires organisations to account for the use of the data, privacy advocates argued that NRIC details were still being collected, sometimes for frivolous reasons. These ranged from booking a movie ticket to renting a bicycle.
Following public feedback, the privacy watchdog proposed updated guidelines which were then put up for public consultation from November to December last year, before the stricter rules were developed.
There are, however, exceptions.
NRIC numbers or copies of the NRIC can only be obtained or shared if they are required by law, such as when subscribing to a new phone line, making a doctor's appointment or checking into a hotel.
NRIC details may also be collected when it is necessary to precisely verify an individual's identity "to a high degree of fidelity".
This would include visiting pre-schools or transactions involving healthcare, financial or real estate matters, and when not getting it could risk security or could cause significant harm.
"Where the collection, use and disclosure of NRIC numbers or retention of physical NRICs is permitted, organisations must ensure that adequate protection measures are in place to safeguard the personal data in their possession or under their control, in compliance with their obligations under the PDPA," added the commission.
These updated guidelines do not apply to the Government or any public agency or organisation that is acting on its behalf.
In response to queries from The Straits Times, a Smart Nation and Digital Government Office spokesperson said that the Government is the issuing authority for the NRIC and that it rightfully uses it to "discharge its functions and services with citizens in a secure manner”.
Added the spokesman: "Nevertheless, the Government will review its processes to ensure that public agencies limit the use of NRIC numbers, and the retention of physical NRICs, to transactions where such use is required by law or is necessary to accurately establish the identities of individuals."
Organisations that are found flouting the Act can be fined up to $1 million.
These updated rules for NRIC numbers also apply to other national identification numbers, like birth certificate numbers, foreign identification numbers and work permit numbers.
Although passports are periodically replaced, the commission said that organisations should avoid collecting the full passport numbers of individuals as well, unless justified.
It acknowledged that some organisations collect a partial NRIC number and clarified that details of up to the last three numerical digits and letter of the NRIC would not be considered the full NRIC number.
But it added that these partial numbers are still considered personal data under the Act, as it could allow an individual to be identified.
The privacy watchdog reiterated that organisations that collect partial NRIC numbers must still comply with the Act's Data Protection Provisions, and must take steps to make sure this data is secured and not disclosed.
It said it does not prescribe the type of identifiers that organisations can use instead of NRIC numbers, and that organisations are encouraged to assess these alternatives based on their own needs.
Some alternatives it suggested include organisation or user-generated ID, tracking numbers or organisation-issued QR codes.
The commission said it will, together with the Infocomm Media Development Authority (IMDA), help organisations adjust by publishing a technical guide on replacing the NRIC number with alternative identifiers.
The commission and IMDA will identify pre-approved technology solutions that companies can take up.
They will also develop template notices that organisations can use to manage customer expectations during this transition period.