Illegal for organisations to ask for NRIC number starting from Sept. 2019

Your NRIC details are precious.

Matthias Ang | August 31, 2018, 04:50 PM

Starting from Sept. 1, 2019, organisations will have a much tougher time collecting your NRIC number and making copies of it for their own purposes.

This is due to tougher new guidelines issued by the Personal Data Protection Commission (PDPC) on Aug. 31 under the Personal Data Protection Act (PDPA).

Once the new rules swing into effect, organisations will no longer be able to ask for your NRIC number should you choose to participate in activities such as a lucky draw, buying tickets for a movie, redeeming free parking or simply just changing for a visitor pass into buildings.

So what do these rules fully entail?

First formulated in November 2017 by the PDPC, the new rules stipulate that with effect from Sept. 1 next year:

  • Organisations may only collect NRIC numbers from individuals where it is required by law or where failing to identify the individual could result in harm to themselves or other individuals. Scenarios that fall under these instances include:

    • Healthcare-related matters and transactions (i.e. making a doctor's appointment)
    • Real estate-related matters and transactions
    • Subscribing to a new phone line
    • Checking into a hotel
    • Getting hired at a new organisation

    In the case of purchasing of cigarettes, consumers will still be asked to display their NRIC to verify that they meet the minimum legal age for buying the product.

    [related_story]

    • These measures additionally apply to collection of birth certificate numbers, foreign identification numbers and work permit numbers, as they all count as personal data under the PDPA.
    • It will also be illegal for organisations to physically hold on to your NRIC.
    • For organisations that have already collected NRIC numbers, they are encouraged to assess if they need to retain these numbers. If not, they should dispose of them responsibly and in compliance with Personal Data Protection Act (PDPA) disposal methods by next year.
    • Organisations found to be in violation of these rules can fined up to SGD1 million.

    The exceptions to these rules are the public sector.

    However, the government has acknowledged that it will also look at minimising the use of NRICs within organisations in the public sector as well, according to Channel NewsAsia.

    What about partial NRIC numbers?

    While the last three numerals and letter of an NRIC number is not considered a full NRIC number, it is still considered personal data under the PDPA.

    As such, organisations which engage in collection of partial NRIC numbers must adhere to the standards set by the PDPA in securing the data and preventing its disclosure.

    In the meantime, the PDPC has recommended that organisations come up with alternate ways to NRIC number collection for identifying purposes, such as user-generated ID or organisation-issued QR codes, among others.

    Top image from IRI: Total Data Management