With effect from 1 September 2019, organizations are generally not allowed to collect, use or disclose National Registration Identity Card (NRIC) numbers and copies of NRIC and other national identification numbers, except in certain specified circumstances.
Notwithstanding clear guidance documents issued by the Personal Data Protection Commission (PDPC), it appears that some organizations continue to collect, use or disclose such national identification numbers in breach of the Personal Data Protection Act (PDPA).
In May 2021, a recruiter was sentenced to seven months and six weeks’ imprisonment and fined SGD 3,000 (approximately USD 2,300) for illegally retaining scanned copies of the NRICs of job applicants, and thereafter, using the NRICs to redeem over 200 face masks from vending machines installed by the Singapore government.
This serves as a timely reminder on compliance with the rules governing the collection, use or disclosure of NRIC and other national identification numbers in Singapore. Importantly, organizations should put in place adequate measures to protect such personal data and minimize the risk of employee misuse of such personal data, including any legitimately collected NRIC numbers and copies of NRIC or other national identification numbers. This is especially given the sensitivity and potential adverse impact to the individual of any unauthorized use or disclosure of their NRIC number.
With effect from 1 September 2019, pursuant to guidelines issued by the PDPC on the applicable standard for the permissible collection, use or disclosure of NRIC numbers and the retention of physical NRICs, organizations are generally not allowed to collect, use or disclose NRIC numbers or copies of NRICs, except in the following specified circumstances:
a) The collection, use or disclosure of NRIC numbers (or copies of NRICs) is required under the law (or an exception under the PDPA applies).
b) The collection, use or disclosure of NRIC numbers (or copies of NRICs) is necessary to accurately establish or verify the identities of the individuals to a high degree of fidelity.
Notwithstanding such guidelines, there continues to be reports of organizations and individuals that continue to collect, use or disclose such national identification numbers or fail to put in place reasonable security arrangements to protect NRIC numbers in their possession or under their control, in breach of the PDPA.
For example, on 10 May 2021, a recruiter was sentenced to seven months and six weeks’ imprisonment and fined SGD 3,000 (approximately USD 2,300) for, among other offenses, retaining illegally obtained personal data. As a recruiter, he received the curriculum vitae and scanned copies of the NRICs of job applicants. It is legally permissible for recruiters to obtain job applicants’ NRIC numbers where it is required for compliance with the Employment Act, but there is no requirement under the law to ask for NRIC numbers for the purpose of job applications. In any event, the recruiter retained the NRIC copies of 384 individuals in his mobile phone, even after he left his job as a recruiter. He then used the NRIC numbers to redeem 207 face masks issued by the Singapore government from various vending machines on three occasions.
Separately, in the PDPC decision “In the matter of an investigation under Section 50(1) of the Personal Data Protection Act 2012 and Singapore Taekwondo Federation,” a financial penalty of SGD 30,000 (approximately USD 23,000) was imposed on the Singapore Taekwondo Federation. The NRIC numbers of 782 students were set out in columns that were publicly accessible, due to an inadvertent error by the organization’s head of the tournament department. The PDPC found that, among others, the organization did not implement any personal data policy and left the manner of handling the students’ personal data to an “unwritten SOP.”
The NRIC number can potentially be used to unlock large amounts of information relating to the individual. Consequently, the PDPC has designated the collection, use and disclosure of an individual’s NRIC number as being of special concern.
Prior to the issuance of the PDPC guidelines that took effect on 1 September 2019, it was fairly common for organizations in Singapore to collect an individual’s NRIC number even in circumstances that did not appear warranted, such as for a shopper to participate in a lucky draw, for a customer to sign up for a customer loyalty program or for the redemption of free car park coupons at a shopping mall. It is therefore timely for organizations to be cognizant of the guidelines issued by the PDPC in relation to the limited circumstances under which the collection, use and disclosure of NRIC numbers is permissible.
Further, in the two cases discussed above, the breaches were attributable to employee misconduct or error. This serves as a timely reminder for organizations to educate their employees and put in place safeguards to prevent contraventions of the PDPA and related NRIC rules. These include keeping NRIC information only in secured company-issued devices with a “view-only” setting where the mass transfer of NRIC information is prohibited, and ensuring that NRIC copies are destroyed as soon as they are no longer needed.
For further information and to discuss what this might mean for you, please get in touch with your usual Baker McKenzie contact.
Baker McKenzie Wong & Leow is a member firm of Baker & McKenzie International, a global law firm with member law firms around the world. In accordance with the common terminology used in professional service organizations, reference to a “partner” means a person who is a partner or equivalent in such a law firm. Similarly, reference to an “office” means an office of any such law firm. This may qualify as “Attorney Advertising” requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.