Tuesday, September 11, 2018

What can Your Business Do to Comply with Singapore PDPA for National Identification Numbers?

The Personal Data Protection Commission (PDPC) of Singapore updated NRIC rules (PDF) to enhance consumer protection from 1st Sep 2019.

  1. If not required by law, companies are not allowed to obtain user’s/customer’s NRIC number. Thus, requesting for photocopy of identity document in this instance, will be absolutely illegal.
    • Such instances include but not limited to redemption of free parking, signing up for retail membership, submitting feedback or registering interest in a product/service, online purchase of movie tickets, and participating in lucky draw.
  2. Companies can only collect and use NRIC number if required by law, or when it is necessary to accurately establish or verify the identity of an individual to a high degree of fidelity.
    • Examples of such instance are: seeking medical treatment, checking into hotel, subscribing to mobile telephone line, enrolling into private education institution, new employee joining an organization.
The ruling isn’t just limited to citizen’s and permanent resident’s NRIC, but also Foreign Identification Number (FIN), Work Permit number, Birth Certificate number, as well as any document containing these numbers.

Check-out the Advisory Guidelines (PDF).

Alternatives to NRIC

In event where your business is not allowed to collect user’s NRIC, some alternatives suggested by PDPC are:
  1. User-generated ID
  2. Tracking number
  3. QR code
  4. Monetary deposit
  5. Partial NRIC (e.g. last 3 numerical digits and checksum of IC)

Protect Your Customer’s IC Document

And to organizations who are allowed to collect customer’s NRIC, you may want to consider taking measures to uphold information security, and to protect your customer’s personal data.