This article aims to provide an overview of the NRIC advisory guidelines[1] that is effective on 1 September 2019 (“New Guidelines”) under the Personal Data Protection Act[2] (“PDPA”) and the practical issues that organisations may encounter in relation to the New Guidelines.
An overview of the PDPA and the New Guidelines
The PDPA and what it governs
The PDPA helps to ensure a satisfactory level of personal data protection in Singapore and requires organisations (defined broadly to include enterprises, and individuals not working in a personal or domestic capacity) to protect personal data of individuals. Importantly, the PDPA only governs personal data which is defined as “data, whether true or not, about an individual who can be identified (1) from that data, or (2) from that data and other information to which the organisation has or is likely to have access”. Examples of personal data include full names, personal mobile telephone numbers, photographs, and personal identification numbers.
In determining whether there has been a breach of PDPA obligations, the Commission will have regard to the legislative purposes of protecting individuals and facilitating commercial activities in Singapore as a business hub. Consequently, if an organisation is found to have breached its PDPA obligations, the Commission may impose a financial penalty of up to S$1 million if it finds that an organisation has breached the obligations imposed by the PDPA.
Personal IDs as a special class of personal data
One pertinent example of personal data is the national identification number of an individual such as NRICs, Birth Certificate numbers, Foreign Identifications Numbers (FIN), Work Permit numbers and passport numbers (“Personal ID”). Personal IDs are especially sensitive and deserving of special attention, as these Personal IDs are unique to an individual and generally unchangeable. Personal IDs are often used in Government and commercial transactions and can be used to unlock vast amounts of information relating to an individual. Given the distinctiveness and importance of Personal IDs, this increases the value and in tandem, the risks of any unauthorised disclosure or access of such Personal IDs.
It is hardly surprising that Personal IDs make an attractive target for hackers, as such compromised data can be sold in the black market, or may be used in future phishing attacks to obtain further valuable personal or financial information of such individuals. According to industry estimates,[3] the Personal ID costs much more than other types of personal data on the black market. Personal IDs which land up in the wrong hands may be used for illegal activities such as identity theft and fraud. Identity theft refers to the act of stealing another’s personal data for the purpose of assuming that person’s identity to obtain a benefit or commit fraud or other crimes.
The New Guidelines effective on 1 September 2019
In recognition of the sensitive nature of Personal IDs, the Commission has issued the New Guidelines to help clarify the PDPA obligations when handling Personal IDs with the aim of preventing indiscriminate and negligent handling of Personal IDs. Specifically, the New Guidelines detail how the PDPA applies to the collection, use, and disclosure of Personal IDs by organisations. This would include the retention of physical NRICs by organisations.
Generally, it would be legal to collect, use, and disclose personal IDs when: (a) required by law; or (b) when there is a need to accurately establish or verify the identities of the individuals to a high degree of fidelity. The need to verify an individual’s identity to a high degree of fidelity will be met where:
- the failure to accurately identify the individual to a high degree of fidelity may pose a significant safety or security risk; or
- the inability to accurately identify an individual to a high degree of fidelity may pose a risk of significant impact or harm to an individual and/or the organisation.
In situations where the collection of the Personal IDs is necessary to accurately establish or verify the identity of the individual to a high degree of fidelity, organisations can collect, use, or disclose the individual’s Personal ID for the stated purpose of the collection.[4] Nevertheless, organisations must always comply with the PDPA .
The New Guidelines also make it clear that organisations must not retain physical NRICs, unless such retention is required by law. Organisations may request sight of the physical NRIC for verification purposes, as long as the physical NRIC is returned as soon as verification is completed.
Practical issues that might arise from the New Guidelines
With the impending implementation of the New Guidelines, organisations should take steps to review their existing systems and processes to identify and purge any unnecessary or excessive collection, use or disclosure of Personal IDs. This may mean replacing the use of Personal IDs in existing systems or existing NRIC in databases with an alternative identifier, where appropriate. This may not always be an easy task, as it requires a commitment of resources and time to undertake the tasks – this may be a challenge particularly for the small and medium-sized enterprises. Moreover, the test of ascertaining whether the collection of Personal IDs is necessary for identify verification to a high degree of fidelity means that organisations are often faced with risk assessment and judgement calls on data compliance matters, something that can be time-consuming and daunting for anyone who is not legally trained or familiar with data protection matters
To minimise these issues, it would be vital to raise greater awareness of the New Guidelines and data protection and cyber-security issues within the organisation. Organisations should focus on establishing a data protection culture within its organisation through its policies, regular staff training and communications with employees and stakeholders. With the right knowledge and attitude, each individual would be adept at improving their own data handling and protection practices and the daily practices of the organisation as a whole would become more secure, as there is greater individual awareness of (i) the likelihood and repercussions of a data breach, as well as (ii) the importance of complying with company policies and legislation. This would enhance the general quality of daily practices regarding digital security in commercial transactions as well as activities done in one’s personal capacity. This would in turn raise Singapore’s quality of defence in the digital world.
Conclusion
The New Guidelines will undeniably reinforce data protection laws in Singapore. While this has the effect of increasing compliance costs for organisations, organisations should bear in mind that the reputational damage or loss from non-compliance, or data breaches resulting from lax data protection practices or processes can often be more costly. With the right mindset and knowledge, data protection compliance efforts may not be as difficult or challenging as one might think.
[1] Personal Data Protection Commission, ADVISORY GUIDELINES ON THE PERSONAL DATA PROTECTION ACT FOR NRIC AND OTHER NATIONAL IDENTIFICATION NUMBERS (Issued 31 August 2018) https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Advisory-Guidelines/Advisory-Guidelines-for-NRIC-Numbers—310818.pdf, accessed 10 October 2018.
[2] Singapore Statutes Online, PERSONAL DATA PROTECTION ACT 2012 (No. 26 of 2012), https://sso.agc.gov.sg/Act/PDPA2012, accessed 10 October 2018.
[3] Straits Times, Irene Tham, TIME TO END OVERUSE OF THE NRIC (Published 16 November 2017) https://www.straitstimes.com/opinion/time-to-end-overuse-of-the-nric, accessed 10 October 2018.
[4] Supra note 1 at paragraph 3.16
Have a question on the PDPA?
If you have any questions on the PDPA, you can request a quote from Geraldine Tan or have a Quick Consult with other lawyers. With Quick Consult, from a transparent, flat fee of $49, a lawyer will call you on the phone within 1-2 days to give you legal advice.
This article is written by Geraldine Tan from Amica Law and edited by Lenon Ong from Asia Law Network.
This article does not constitute legal advice or a legal opinion on any matter discussed and, accordingly, it should not be relied upon. It should not be regarded as a comprehensive statement of the law and practice in this area. If you require any advice or information, please speak to practicing lawyer in your jurisdiction. No individual who is a member, partner, shareholder or consultant of, in or to any constituent part of Interstellar Group Pte. Ltd. accepts or assumes responsibility, or has any liability, to any person in respect of this article.