From Sept 1 next year, it will be illegal for organisations to collect, use or disclose the NRIC numbers of individuals or make copies of the card, under stricter rules by the Personal Data Protection Commission (PDPC).
The privacy watchdog also warned companies that unless required by law, it will be illegal to physically hold on to a person's NRIC.
In a media statement yesterday, it said: "In today's digital economy, indiscriminate collection or negligent handling of NRIC numbers can increase the risk of unintended disclosure and may result in NRIC numbers being used for illegal activities such as identity theft or fraud." It added that such risks arise as the NRIC number is a permanent and irreplaceable identifier.
The commission has stuck to its proposed guidelines - which went up for public consultation from November to December last year - in introducing the stricter rules.
NRIC numbers or copies of the NRIC can be obtained or shared, however, if they are required by law, such as when subscribing to a new phone line, making a doctor's appointment or checking into a hotel.
NRIC details may also be collected when it is necessary to precisely verify an individual's identity "to a high degree of fidelity", such as for transactions involving healthcare, financial or real estate matters, and when not getting it could risk security or could cause significant harm.
In such cases, organisations must ensure they have adequate protection measures in place for the data that are compliant with the Personal Data Protection Act (PDPA).
Organisations can be fined up to $1 million for flouting the Act.
The updated guidelines do not apply to the Government or any public agency or organisation that is acting on its behalf.
A Smart Nation and Digital Government Office spokesman told The Straits Times that the Government is the issuing authority for the NRIC, and it rightfully uses it to "discharge its functions and services with citizens in a secure manner".
But the spokesman added that "the Government will review its processes to ensure that public agencies limit the use of NRIC numbers, and the retention of physical NRICs, to transactions where such use is required by law or is necessary to accurately establish the identities of individuals".
Private organisations that have collected NRIC numbers are encouraged to assess the need to retain these numbers and, if not, should dispose of them responsibly and in compliance with PDPA disposal methods by next year.
Those that decide to keep their collection must ensure there is adequate protection, or can choose to anonymise the data.
The updated rules for NRIC numbers also apply to other national identification numbers, including the driver's licence. Although passports are replaced periodically, the commission said that organisations should avoid collecting the full passport numbers of individuals as well, unless justified.
The commission also said that partial NRIC numbers are still considered personal data under the Act, as it could allow an individual to be identified.
It reiterated that organisations that collect partial NRIC numbers - of up to the last three digits and letter - must still comply with the Act's Data Protection Provisions, and must take steps to ensure this data is secured and not disclosed.
The commission suggested alternative identifiers such as organisation or user-generated IDs, tracking numbers or organisation-issued QR codes.
Together with the Infocomm Media Development Authority (IMDA), the PDPC will help organisations adjust by publishing a technical guide on replacing the NRIC number with alternative identifiers.
The commission and IMDA will identify pre-approved technology solutions that companies can take up. They will also develop template notices that organisations can use to manage customer expectations during the transition period.