The only exceptions are if the collection, use or disclosure of NRIC is required by law, or deemed necessary to accurately verify one’s identity “to a high degree of fidelity” or pose a significant safety or security risk, the PDPC says.
File photo of an NRIC.
SINGAPORE: Organisations in Singapore will have to stop the practice of indiscriminate collection of people’s NRIC details from Sep 1 next year.
The Personal Data Protection Commission (PDPC) on Friday (Aug 31) issued its enhanced advisory guidelines following the close of the public consultation last December.
It said that under the updated guidelines, organisations can collect, use or disclose NRIC numbers or copies of the NRIC only under certain specific circumstances.
First, if they are required by the law or deemed necessary to accurately verify one’s identity to a “high degree of fidelity”, the PDPC said in its press release.
For example, a telco will continue to be allowed to keep a record or scanned copy of subscribers’ NRICs, as it is legally required to maintain a register of customers, the agency explained.
The second exception is when failing to provide NRIC details could pose a significant safety or security risk, or may pose a risk of significant impact or harm to an individual and the organisation, it added.
These could be transactions relating to healthcare or real estate matters like insurance applications and claims.
Another example of this exception would be when stores that sell cigarettes have to ask consumers for their NRIC to verify that they meet the minimum legal age for buying the product, PDPC said.
It did add that organisations should be able to justify why they are collecting NRIC numbers when asked by individuals or the PDPC.
“The NRIC number is a permanent and irreplaceable identifier which can be used to unlock large amounts of information relating to an individual,” the data privacy watchdog said.