Article
Singapore privacy regulator proposes to clamp down on the use of national identifications
Earlier this week, the Personal Data Protection Commission (PDPC) of Singapore issued new draft privacy guidelines (Proposed Advisory Guidelines on the Personal Data Protection Act for NRIC numbers) relating to the collection and use of National Registration Identification Card ("NRIC") numbers.
The NRIC number is a unique identifier issued to all Singaporeans at around the age of 15 and is used for all transactions with the Singapore Government. The NRIC includes a large amount of personal data including the full name of each individual, residential address, blood type, photograph, thumbprint, date of birth, race, country of birth and a unique number.
This NRIC number is, however, widely used by many organisations in Singapore to identify individuals for a broad variety of purposes. The PDPC has said that the "indiscriminate collection and use of individuals' NRIC numbers is of special concern as it increases the risk that NRIC numbers may be obtained and used for illegal activities such as identity theft and fraud."
In principle the PDPC is putting forward the position that NRIC numbers should not be collected, unless:
- The collection, disclosure or use is required by law; or
- The collection, use and disclosure is necessary to establish and verify the identity of the individual
In addition, the PDPC is proposing to clamp down on the widespread practice of collection of the physical NRIC by organisations, for example when visiting building premises or renting a bicycle. Organisations should not keep the physical NRIC of an individual unless they can justify it based on the two principles above. In particular, the PDPC is confirming the position that the collection and retention of the physical NRIC amounts to the act of collection of all the personal data found on the NRIC and its retention for the period the NRIC is kept.
Whilst this may appear to be a simple clarification to the law, the proposed change, if implemented, would require many organisations and businesses to change their current practices of using the NRIC numbers for purposes such as membership numbers. For this reason, the PDPC is proposing a 12 month grace period from the issue of final advisory guidelines, for organisations to implement the changes necessary.
The public consultation period for the Proposed Advisory Guidelines on the Personal Data Protection Act for NRIC numbers runs until 18 December 2017 and organisations may provide submissions on the proposals.
For more information on these proposed advisory guidelines, or other privacy issues, please contact Sheena Jacob at sheena.jacob@jurisasiallc.com
CECI NE CONSTITUE PAS UN AVIS JURIDIQUE. L'information qui est présentée dans le site Web sous quelque forme que ce soit est fournie à titre informatif uniquement. Elle ne constitue pas un avis juridique et ne devrait pas être interprétée comme tel. Aucun utilisateur ne devrait prendre ou négliger de prendre des décisions en se fiant uniquement à ces renseignements, ni ignorer les conseils juridiques d'un professionnel ou tarder à consulter un professionnel sur la base de ce qu'il a lu dans ce site Web. Les professionnels de Gowling WLG seront heureux de discuter avec l'utilisateur des différentes options possibles concernant certaines questions juridiques précises.