The Personal Data Protection Commission (PDPC) issued updated advisory guidelines on 31 August 2018 to protect against the indiscriminate or unjustified collection, use or disclosure of individuals’ National Registration Identity Card (NRIC) numbers and retention of physical NRICs (the Updated Guidelines).  All organisations are required to comply with the Updated Guidelines by 1 September 2019.

The Updated Guidelines generally prohibit organisations from collecting, using or disclosing NRIC numbers (or copies of NRICs) or retaining physical NRICs.  Similar treatment applies to:

• Birth certificate numbers, Foreign Identification Numbers and work permit numbers (collectively, other IDs).  Organisations are also advised to avoid collecting full passport numbers of individuals unless justified.
• Retention of other IDs, including passports, driver’s licences and work passes.

Organisations may deviate from the general rule only when:

• the collection, use or disclosure is required by the law or an exception under the Personal Data Protection Act 2012 (PDPA) applies, in which case an individual’s consent need not be obtained (Legal Basis Exception); or
• it is necessary to accurately establish or verify an individual’s identity to a high degree of fidelity, in which case an individual’s consent must be obtained after giving appropriate notice (Identity Verification Exception).

The Updated Guidelines provide non-exhaustive examples of situations where the Legal Basis Exception applies, such as:

• when seeking medical treatment at a general practitioner clinic, as required under the Private Hospitals and Medical Clinics Regulations;
• when checking into a hotel, as required under the Hotels Licensing Regulations;
• when subscribing to a mobile telephone line, as required under the Telecommunications Act;
• where a new employee joins an organisation, as required under the Employment Act; or
• in case of an emergency that threatens an individual’s health, as authorised under the Fourth Schedule of the PDPA.

The PDPC would consider the Identity Verification Exception to apply where the failure or inability to accurately establish or verify an individual’s identity to a high degree of fidelity may:

• pose a significant safety or security risk, such as upon preschool visitor entry, where the safety and security of young children is an overriding concern; or
• pose a risk of significant impact or harm to an individual and/or the organisation. Examples include fraudulent claims or transactions relating to healthcare, financial or real estate matters.

When relying on the Identity Verification Exception, an organisation should carefully access each situation to ensure that collecting, using or disclosing an NRIC number (or a copy of an NRIC) is necessary and can be justified.

The PDPC encourages organisations to use alternatives to NRIC numbers, including adopting organisation- or user-generated IDs, tracking numbers, organisation-issued QR code or monetary deposits, but reminds organisations to assess the suitability and reasonableness of their alternatives.  If the alternatives are not satisfactory, organisations may collect partial NRIC numbers up to the last 3 numerical digits and checksum.  However, partial NRIC numbers are still considered personal data under the PDPA to the extent that individuals may be identified from them and organisations should therefore assess the associated risks involved with collecting and processing them.

Organisations should start implementing the necessary changes to align their existing business practices and processes in accordance with the Updated Guidelines.  Where an NRIC or other ID number is collected or a copy thereof is retained, organisations must take reasonable steps to provide it a greater level of security, given the likely adverse effects of its unauthorised use or disclosure.

‍