SINGAPORE - There are proper procedures in place to ensure identity card details of job seekers here are not misused, recruitment firms said.
Some said they seldom obtain scanned copies of the applicants' national registration identity cards (NRICs), and even then, only upon the hiring company's request.
Misuse of such personal data made the headlines earlier this month, with the conviction of a former recruiter who used scanned copies of job seekers' NRICs to redeem face masks.
Emerson Goh Shou En, 32, had received job applicants' CV or curriculum vitae, along with scanned copies of their NRICs.
He kept such information of 384 individuals in his mobile phone, even after he left his job as a recruiter.
He later used the NRIC copies to redeem 207 Government-issued face masks from the vending machines at Changi Simei Community Club on three occasions between May 26 and 27 last year.
Goh pleaded guilty on May 10 this year to one count each of retaining illegally obtained personal information, cheating and breaching circuit breaker measures.
Recruitment firms that The Straits Times spoke to said they are mindful of obligations under the Personal Data Protection Act (PDPA).
Under the PDPA, organisations are generally not allowed to collect, use or disclose NRIC numbers or copies of NRICs.
They may only do so if required by law, or allowed under the PDPA, or to precisely verify an individual's identity "to a high degree of fidelity".
Such situations include employers fulfilling their obligation under the Employment Act to maintain detailed records of employees, including NRIC numbers.
Employment agencies are also permitted to collect NRIC numbers from applicants who are referred to hirers for any permanent or contract job which lasts for at least six months and has a fixed monthly salary of $3,300 and above.
The PDPA also requires organisations to stop retaining documents containing personal data - or ensure that such data cannot be associated with the relevant individuals - when it is no longer needed and keeping it is not necessary for business or legal purposes.
Organisations that flout the PDPA can incur a financial penalty of up to $1 million.
Ms Agnes Yee, a director at Kerry Consulting, said her firm asks job seekers for their NRIC details only when complying with its licence requirement.
But it does not collect scanned copies of their NRIC for that purpose, she added.
Ms Yee said such personal data is collected only upon a hirer's request to facilitate its onboarding process for a selected candidate.
"This is not always a given," she said, adding that some hirers may choose to obtain the information from the candidates directly.
The scanned copy is also immediately destroyed after it has been forwarded to the hirer since "we do not need it anymore", she said.
Nicoll Curtin Technology, which specialises in recruitment for the fintech industry, has similar procedures for collecting scanned copies of job seekers' NRICs.
Mr Jon Loh, who heads the firm's office in Singapore, said the information is kept only in the respective recruiter's work e-mail inbox, and not stored in the company's cloud-based IT database.
The scanned NRIC copies are destroyed as soon as they are no longer needed, he added.
Mr Loh said the firm's IT systems - including the work e-mail inboxes of its staff - are managed by a service provider which checks for any outdated data, among other things.
"(This) personal data... is something that we, as a firm, would rather get off our hands as soon as possible, rather than actually store it," said Mr Loh.
Mr Nilay Khandelwal, managing director at Michael Page Singapore, said the firm does not request or retain scanned NRIC copies.
"As recruiters, we never scan a copy of (a) personal identification (document) - this is done by the hiring companies as part of their hiring process and paperwork," he added.
He also said the personal information of a job seeker is kept only "for as long as is necessary for us to provide professional recruitment services to them".