In recent years, the Protection Data Protection Act 2012 (“PDPA”) of Singapore has been a trending topic for discussion, especially due to the trend of storing valuable personal data virtually online instead of in physical storage. The PDPA is crucial as it protects the personal data for individuals while recognising the need for organisations to “collect, use and disclose” personal data for reasonable purposes.1 To achieve that, the PDPA sets out guidelines and obligations that we will be discussing in another series of articles.
This article will instead focus on the recent developments on the PDPA, specifically about the recent restrictions on the collection of National Registration Identity Cards (“NRIC”) as well as NRIC numbers. These restrictions came into force on 1 September 2019, from that date onwards, organisations are prohibited from collecting, using, or disclosing the NRIC or NRIC numbers of their customers when it is not required by law or if it is not necessary to establish or verify a customer’s identity to a high degree of fidelity.
Exceptions for when the collection of NRIC/NRIC numbers is allowed
Required by law
As mentioned previously, there are times when the collection of NRIC/NRIC numbers is allowed and required by law. This requirement for the individual to provide his NRIC/NRIC number to the organisation is normally stipulated within statutes pertaining to the industry or business that the organisation is in.
The following are some examples of when the NRIC or NRIC number is required by law:
When seeking medical treatment at a General Practitioner clinic
When registering for a medical appointment at a General Practitioner’s clinic, the patient is required to first produce his/her NRIC for verification purposes. This requirement is supported by regulations 12(1) and 1A(a) of the Private Hospitals and Medical Clinics Regulations.
Checking into a hotel
Before checking-in to a hotel, the hotel guest must first provide his/her NRIC number for the purposes of verifying his identity. This requirement is supported by regulation 27(1) of the Hotels Licensing Regulations which states that every hotel must require its guest to furnish his/her full name and NRIC number when. Regulation 27(3) also states that every guest is required to accommodate such a request.
New Employee joining an organisation
When a new employee joins an organisation, the employer is required to maintain a detailed and accurate employment record of employees as required by Section 95 of the Employment Act.1 The employment record requires crucial personal data such as the NRIC numbers of the employees.
When NRIC numbers are required in an emergency situation but consent was not given
It is sometimes necessary for individuals to disclose the NRIC numbers of another individual without his consent if for example the person is incapacitated during a medical emergency and his NRIC number is required to admit him to the hospital. This necessity is allowed under the Fourth Schedule of the PDPA as an exception for the disclosure of another’s NRIC number without consent.
Necessary to establish or verify a customer’s identity to a high degree of fidelity
However, if there is no legal or statutory requirement for the NRIC/NRIC number to be provided, it may still be allowed if it can be proven that the NRIC/NRIC number is necessary to establish or verify a customer’s identity to a high degree of fidelity.
In order to better understand and apply this exception in situations which requires it, it is helpful to understand what a “high degree of fidelity” means in this context. The PDPC has set out two illustrative scenarios where it would be necessary to collect, use or disclose the NRIC number of an individual and they are as follows:
a) If there is an urgent or pressing need to verify an individual, and if the failure of which may pose a significant safety or security risk, the collection, use and disclosure of the NRIC number of an individual will be allowed. The PDPC gave the example of verifying the identity of individuals who enter preschools as the safety and security of the young children present are of paramount concern.
b) If there is a situation where the inability to accurately identify an individual may pose a significant risk or harm to an individual or an organisation, the example that PDPC gave was that of fraudulent claims. Thus, especially for commercial transactions such as real estate matters or insurance matters, the collection, use and disclosure of NRIC numbers may be allowed.
However, it is once again important to note that these examples given are just illustrative in nature and non-exhaustive. The PDPC listing out these two examples does not exclude the possibility of other circumstances where the collection, use and disclosure of NRIC numbers will be allowed. Thus, in light of these newly introduced restrictions on the collection, use and disclosure of NRIC/NRIC numbers, it is apt to consider other alternatives to the NRIC/NRIC number to verify the identity of individuals.
Possible Alternatives to the NRIC/NRIC number
Partial NRIC Number
One of the alternatives to the NRIC/NRIC number suggested by the PDPC is the usage of partial NRIC numbers instead of the conventional full NRIC number. For example, an organisation could ask for only the last four digits and checksum of the NRIC number, “1234A”, instead of the full NRIC number. This will not be subject to the above mentioned restrictions as it is not considered collection of the full NRIC number. However, it is worth noting that although the usage of partial NRIC numbers is not subject to the same restrictions as NRIC numbers, there are still the general PDPA obligations which organisations still have to fulfil and abide by.
Transaction tracking number
Organisations could also issue a unique tracking number to individuals that they are dealing with in order to verify their identities. This will bypass the usage of NRIC numbers entirely while still allowing for the individual to be identified based on the unique tracking number that was given to them.
These are just some suggestions for possible alternatives to the usage of NRIC/NRIC numbers and it is important to consider other alternatives which may be able to fulfil the same purpose as the NRIC/NRIC numbers.
Lastly, it is important to consider that as the restrictions to the usage and collection of NRIC/NRIC numbers were only introduced recently, there may still be significant developments and changes that may be made. Thus, it is important to monitor and stay up-to-date with any changes to the PDPA, especially to determine whether there is a change in how applicable the PDPA is to you. It is also important to consider that data protection concerns are constantly evolving and there are always unique circumstances for every case, hence it is advisable to seek legal advice when there are pressing concerns regarding the PDPA and how it may be applicable to you.
Please note that this article does not constitute express or implied legal advice, whether in whole or in part. For PDPA obligations, Silvester Legal LLC is regularly engaged assisted our clients to review their data collection policies and websites to ensure that they are in compliance with the PDPA. If you have any queries or require legal advice, please contact me at email@example.com.