Businesses to be banned from collecting and using consumer NRIC data

Businesses will no longer be allowed to collect, use or disclose the National Registration Identity Card (NRIC) numbers of customers, with effect from 1 September 2019. This is unless circumstances include disclosures required by law, or the necessity to accurately establish or verify a person’s identity “to a high degree of fidelity”, a statement read.

As for retaining the information, organisations can only do so if required by law and ensure adequate protection measures are in place to safeguard said information. The move was part of an update to the Personal Data Protection Commission’s (PDPC) Advisory Guidelines to enhance consumer protection. The PDPC added that the move follows consultation with consumers and businesses last year, which received “strong support” for its proposals.

According to the PDPC, NRIC numbers are a “permanent and irreplaceable” identifier which can be used to unlock “large amounts” of information regarding an individual.

“In today’s digital economy, indiscriminate collection or negligent handling of NRIC numbers can increase the risk of unintended disclosure and may result in NRIC numbers being used for illegal activities such as identity theft or fraud,” the commission explained.

It added that the same treatment also extends to birth certificate numbers, foreign identification numbers and work permit numbers. As for passports, despite being periodically replaced, the PDPC added that organisations should too avoid collecting passport details unless justified.

Following the move, the PDPC and the Infocomm Media Development Authority (IMDA) will help organisations make the transition. This is by publishing a technical guide which advises organisations how to replace NRIC numbers with alternative identifiers for websites and public facing computer systems.

It will also identify pre-approved technology solutions such as visitor management systems and point of sales. In addition, it will also do the same for customer relationship management systems, through the SME Portal’s Tech Depot, to help organisations automate and align their operations with the updated Advisory Guidelines. Both PDPC and IMDA will also develop template notices that organisations can use to manage customer expectations during the transition period.