E-briefing: Guide on the Collection, Use and Disclosure of NRIC and other National Identification Numbers
From 1 September 2019, organisations will not be allowed to collect, use, or disclose the Singapore National Registration Identification Card (“NRIC”) numbers or copies of the NRIC except under specific circumstances.
This is pursuant to the Advisory Guidelines on the Personal Data Protection Act for NRIC and Other National Identification Numbers (the “Guidelines”) issued by the Personal Data Protection Commission, under the Personal Data Protection Act 2012 (the “PDPA”). This e-briefing will discuss the key provisions which all organisations must consider aligning their existing business practices and policies with the Guidelines.
General Rule on NRICs and other National Identification Numbers
The NRIC number is a unique identifier assigned by the Singapore Government to Singapore citizens and permanent residents of registrable age under the National Registration Act. It is considered personal data as the individual can be identified from the unique sequence of numbers and letters.
As the NRIC number is a permanent and irreplaceable identifier which can potentially be used to unlock large amounts of information relating to the individual, the collection, use and disclosure of an individual’s NRIC number is of special concern. As such, from 1 September 2019, organisations are not allowed to collect, use or disclose NRIC numbers or copies of the NRIC, unless any of the below exceptions apply. The same principle applies to birth certificate numbers, Foreign Identification Numbers (“FIN”) and Work Permit numbers.
When are Organisations Allowed to Collect, Use or Disclose NRIC Numbers
There are two exceptions to the above general rule. Organisations may collect, use or disclose NRIC numbers (or copies thereof):
- When required by law, or when an exception to the PDPA applies; or
- When necessary to accurately establish or verify the identities of individuals to a high degree of fidelity.
In instances when organisations may collect, use or disclose NRIC numbers, they nevertheless still must comply with the following obligations under the PDPA:
- Notify the individual of the purposes of the collection, use and disclosure of the personal data and obtain his/her consent, unless: (i) such collection, use and disclosure is required by law; or (ii) the individual voluntarily provides the data and it is reasonable that he/she would voluntarily provide the data;
- Make reasonable security arrangements to protect the personal data in its possession or control; and
- Cease to retain the personal data as soon as the purpose for which the personal data is collected is no longer served by the retention of such data, and retention is no longer necessary for business or legal purposes (Section 25, PDPA). Note that the PDPA does not provide a specific data retention period.
1) Collection, Use or Disclosure Required by Law or an Exception to the PDPA Exists
When the collection, use or disclosure is required by law, the organisation need not obtain the individual’s consent. However, it is still good practice for the organisation to notify the individual of the purpose of the collection, use or disclosure.
The following are some examples of when the collection, use or disclosure of NRIC is required by law:
- An individual seeking medical treatment at a private hospital, medical clinic or healthcare establishment (Private Hospitals and Medical Clinics Regulations)
- A guest checking into a hotel (Hotels Licensing Regulations)
- An employee joining an organisation (Employment (Employment Records, Key Employment Terms and Pay Slips) Regulations 2016)
- A customer obtaining massage services at a massage establishment. The massage licensee must enter the client's information in a register and keep the register for at least a year (Massage Establishment Rules 2018)
- An individual obtaining financial services from financial institutions (MAS Notices on Prevention of Money-Laundering and Countering the Financing of Terrorism)
- A student enrolling in a registered private education institution (Private Education Regulations 2009)
2) Necessary to Establish or Verify the Identity of the Individual to a High Degree of Fidelity
The following situations fall under this exception:
- Where the failure to accurately identify the individual to a high degree of fidelity may pose a significant safety or security risk. For example, visitor entry to preschools; or
- Where the inability to accurately identify an individual to a high degree of fidelity may pose a risk of significant impact or harm to an individual and/or the organisation (e.g. fraudulent claims). Such transactions typically relate to healthcare, financial or real estate matters, such as property transactions, insurance applications and claims, applications and disbursements of substantial financial aid, background credit checks with credit bureaus, and medical check-ups and reports.
What this means for your Organisation
Organisations must remember that when they collect a copy of the NRIC, they are considered to have collected all the personal data on the NRIC, and will be subject to the provisions of the PDPA for that collection. Organisations must thus carefully consider whether their collection, use or disclosure of NRIC falls under any of the exceptions above. Organisations may also consider adopting alternatives to NRIC numbers based on their business and operational needs.
For example, organisations may consider using user-generated user IDs, tracking numbers, or an organisation-issued QR code. They may also consider collecting only partial NRIC numbers (up to the last 3 numerical digits). Note, however, that partial NRIC numbers are still considered personal data to the extent that an individual can be identified, from the number and any other information to which the organisation has access. Under the PDPA, “personal data” means data, whether true or not, about an individual who can be identified from that data; or from that data and other information to which the organisation has or is likely to have access.
If there is a need to discuss your personal data protection obligations, including any of the above, please contact the Partner who is servicing your Company and/or send an email to [email protected] and a meeting will be arranged to discuss your specific concern/s.
For further information, contact:
K. K. Lim
Head, Cybersecurity, Privacy & Data Protection
Eversheds Harry Elias
T: +65 6361 9307
M: +65 9456 6191
Foreign Legal Associate, International Arbitration
Eversheds Harry Elias
T: +65 6361 9821
For more information, please contact our Business Development Manager, Ricky Soetikno at [email protected]