Darren Grayson Chng, our Singapore correspondent, reports on recently updated guidelines in Singapore clarifying how Singapore’s Personal Data Protection Act applies to national identification documents.
In Singapore, each citizen and permanent resident in Singapore above age 15 is generally required to have a National Registration Identity Card (NRIC).
Every NRIC displays the following information:
Over the years, NRIC data, particularly NRIC numbers, had been collected for an increasing number of purposes – from mobile phone line subscriptions to lucky draws, from retail memberships and loyalty rewards to security clearance into restricted office buildings.
At the same time, a rising awareness of privacy issues, and identity theft and fraud among Singaporeans, had made them uncomfortable with the rampant and indiscriminate collection of their NRIC data, exemplified in reports that one Singaporean maintained two different identities for over 15 years. Each had its own mobile phone number, email, Facebook, and LinkedIn accounts. One was for official purposes. The other, for gym and reward card memberships.
So on 31 August 2018, cheers went around when the Personal Data Protection Commission (PDPC) updated existing advisory guidelines on how the country’s Personal Data Protection Act (PDPA) applies to NRICs and other national identification documents.
First, what is the legal status of the advisory guidelines?
Section 49(1) of the PDPA allows the PDPC to issue written advisory guidelines indicating the manner in which it will interpret the provisions of the PDPA. In its public consultation cover note, the PDPC took pains to point out that “these guidelines are advisory in nature and are not legally binding on the Commission [or] any other party”.
Separately, the PDPC reiterated in both the closing note to its public consultation and the updated advisory guidelines, that public agencies in Singapore are excluded from the Data Protection Provisions of the PDPA, and that the updated advisory guidelines will not apply to public agencies or organisations acting on behalf of public agencies. The PDPC pointed out that “[a]s the issuing authority for the NRIC, the Government rightfully uses the NRIC to discharge its functions and services with citizens in a secure manner”.
Nevertheless, the closing note states that the Government will review its processes to ensure that public agencies also follow the updated advisory guidelines.
When can NRIC numbers (or copies of NRICs) be collected, used or disclosed?
The Advisory Guidelines on the PDPA for NRIC and Other National Identification Numbers (Updated Advisory Guidelines) identifies two circumstances:
(1) where the collection, use, or disclosure of NRIC numbers (or copies of NRICs) is required under the law (or an exception under the PDPA applies); or
(2) where the collection, use, or disclosure of NRIC numbers (or copies of NRICs) is necessary to accurately establish or verify the identities of the individuals to a high degree of fidelity.
The Updated Advisory Guidelines clarify that when an organisation collects a copy of an NRIC, it is considered to have collected all of the personal data on the NRIC, and will be subject to the applicable data protection provisions of the PDPA for that collection.
In comparison, the “old” Advisory Guidelines of September 2013 (Old Advisory Guidelines) merely suggested that “[a]s a best practice, organisations should avoid over-collecting personal data, including NRIC numbers, where this is not required for their business or legal purposes”, and that “organisations that collect NRIC cards and the personal data on it would be subject to the PDPA in relation to the collection of such personal data”.
When might the “high degree of fidelity” limb apply?
The Updated Advisory Guidelines state:
PDPC would generally consider it necessary to accurately establish or verify the identity of [an] individual to a high degree of fidelity in the following situations –
(1) Where the failure to accurately identify the individual to a high degree of fidelity may pose a significant safety or security risk. …
(2) Where the inability to accurately identify an individual to a high degree of fidelity may pose a risk of significant impact or harm to an individual and/or the organisation. …
The example given for (1) is visitors wishing to enter preschools, where the safety and security of young children is an overriding concern.
The example given for (2) is where there is a risk of fraudulent claims which may result in reputational, financial, personal, or proprietary loss or damage. The Updated Advisory Guidelines note that “such transactions typically relate to healthcare, financial or real estate matters, such as property transactions, insurance applications and claims, applications and disbursements or substantial financial aid, background credit checks with credit bureau[s], and medical check-ups and reports”.
When can physical NRICs be retained?
In Singapore, it is common for security teams of restricted office buildings to collect NRIC numbers, and on top of that retain the physical NRICs or other identification documents.
The Old Advisory Guidelines stated that “policies governing the collection and retention of the physical NRIC card are not governed by the PDPA”.
In a huge turnaround, the Updated Advisory Guidelines now make it clear that organisations should generally not retain the physical NRIC unless it is required under the law. This is in view of the impact to the individual if the physical NRIC is misplaced, stolen, or used for illegal activities such as identify theft or fraud.
What if an organisation just wants to check the NRIC for verification purposes?
The Updated Advisory Guidelines says that organisations may have sight of the physical NRIC and the information on it for verification purposes. An example is where age verification in the purchase of tobacco.
Where there is “no intention to obtain control or possession of the physical NRIC” in checking it for the purpose of establishing or verifying the individual’s identity, the NRIC will be returned immediately to the individual, and no personal data will be retained once the NRIC is returned, then the PDPC will not consider those actions to be a collection of personal data.
Possible alternatives to NRIC numbers
The PDPC did not leave organisations high and dry – when the Updated Advisory Guidelines were published, the PDPC also released a Technical Guide containing tips for the replacement of national identification numbers (NIN) as a way of identifying individuals.
Part of the Technical Guide suggests alternatives to NINs such as user or organisation selected identifiers, email addresses, mobile numbers, and partial NRIC numbers.
Interestingly, the Updated Advisory Guidelines did not leave it entirely to the Technical Guide but also touches on this topic, albeit lightly, except in relation to the use of partial NRIC numbers. This indicates that even partial NRIC numbers may be sensitive information.
Indeed, the Updated Advisory Guidelines rightly state that partial NRIC numbers are considered personal data under the PDPA to the extent that an individual can be identified from it, or from a combination of the partial number and other information which the organisation has or is likely to have access to.
However, the Updated Advisory Guidelines will not apply to the collection of partial NRIC numbers, insofar as they consist of up to the last three numerical digits and checksum of the NRIC number. This is because the PDPC does not consider that to be a collection of the full NRIC number.
When will the Updated Advisory Guidelines kick in?
The PDPC will apply the interpretation of the PDPA in the Guidelines from 1 September 2019. Organisations will have had 12 months from the date of the Updated Advisory Guidelines to review and update their business processes.
Darren Grayson Chng