Singapore privacy watchdog prohibits commercial use of identification numbers
The 31 August announcement established a general ban on the collection of National Registration Identification Card (NRIC) numbers and other sensitive information by businesses.
NRIC numbers are “unique identifiers” given to Singaporean citizens and permanent residents and have historically been used by companies for customer loyalty programmes and a range of internet services, including the online purchase of cinema tickets and submission of product feedback.
The guidelines say that “as the NRIC number is a permanent and irreplaceable identifier which can potentially be used to unlock large amounts of information relating to the individual, the collection, use and disclosure of an individual’s NRIC number is of special concern.”
The PDPC’s concerns about “the indiscriminate or negligent handling of NRIC numbers” and the potential for identity fraud to occur given the sensitivity of the information contained on the card were both driving forces behind the intervention.
“The physical NRIC not only contains the individual’s NRIC number, but also other personal data, such as the individual’s full name, photograph, thumbprint and residential address.”
The new guidelines also apply to other government-issued identification numbers, including foreign identification numbers and work permit numbers, as well as numerical identifiers on birth certificates and passports. Use of this information is governed by the Personal Data Protection Act 2012, breach of which can result in a fine of up to S$1,000,000.
Companies can now only ask for NRIC numbers if required by law or if necessary to prove an individual’s identity to avoid significant safety or security risks to an individual or the company. The ability of public bodies to collect the numbers is unaffected by the new guidelines.
The PDPC said that companies which currently use NRIC numbers as a form of identification can comply with the guidelines by collecting partial NRIC numbers – comprising only the last four digits – instead.
Adrian Fisher of Linklaters in Singapore said that “it has been common practice in Singapore for organisations to collect NRIC numbers from individuals and in some cases retain the physical NRIC. More often than not, this collection goes beyond what is reasonable and necessary to serve the purpose of the collection.”
“The new guidelines clarify for the public how organisations may achieve compliance with the PDPA so as to improve the Singapore data protection standards generally,” he added.
Anne Petterd, principal at Baker McKenzie Wong & Leow, said that the guidelines are “a welcome steer to organisations and individuals about acceptable collection and use of personal data in government-issued identity documents and cards” and “an articulation of appropriate behaviour on the use of personal data in government-issued identification”.
She added that “the guidelines bring a level of certainty and consistency to this issue for both organisations and individuals”.
Private sector businesses have until 1 September 2019 to comply with the new guidelines.
Copyright © Law Business ResearchCompany Number: 03281866 VAT: GB 160 7529 10