Illegal to collect NRIC numbers and make copies of identity card from 1 September 2019

Collecting NRIC numbers and making copies of the identity card will be illegal once revisions to the Personal Data Protection Act (PDPA) take effect from 1 September 2019, according to the Personal Data Protection Commission (PDPC). The only exceptions are if the collection, use or disclosure of the NRIC number is required by law or deemed necessary to accurately verify one’s identity to a high degree of fidelity. Examples of the latter exception are where failure to do so may pose a significant safety or security risk or a risk of significant impact or harm to an individual and/or the organisation.

Organisations should consider whether they need to retain NRIC numbers that they collected. If not, they are required to dispose of the information in compliance with PDPA disposal methods.

What should businesses do?

Businesses should start with a data inventory check to determine data retention or destruction. First, has the company appointed a Data Protection Officer (DPO)? Second, has it established a data inventory map? If so, it would need to check what information is collected, as well as who owns it and how it is used. The company also needs to assess the implications of keeping or removing NRIC numbers in its records. If it has not appointed a DPO or established a data inventory map, it should do so immediately.

What are some alternative identifiers?

Companies may consider the following as alternative identifiers:

• User-selected Identifier/User Name
• Organisation-selected Identifier
• Email Address
• Mobile Number
• Combination of Alternative Identifiers
• Partial NRIC Number (i.e. Organisation uses the last three digits and last letter of the individual’s NRIC number, in combination with other data)

The PDPC said it will work with the Info-communications Media Development Authority to do the following:

• Publish a technical guide that will provide organisations with information on how they can replace NRIC numbers with alternative identifiers for websites and public-facing computer systems.
• Identify pre-approved technological solutions for them to adopt.
• Develop template notices that organisations can use to manage customer expectations during the transition period. The PDPC has published a template notice on its website.

The process of replacing NRIC numbers with alternative identifiers and user names on websites and other public-facing systems can be divided into three separate phases:

1. Preparation — Choose the NRIC number replacement, identify where the NRIC number is displayed and retained, as well as consider whether such retention is required.

2. Implementation — Check that users’ alternative identifiers are recorded and assigned correctly and plan the processes for handling users who cannot be contacted or do not provide their alternative identifiers during the implementation period.

3. Post-implementation — Disable user accounts that do not have replacement identifiers. Companies can put up a notice on the website/system to notify users who did not change their identifiers that their accounts have been disabled, and communicate the process of reactivating their accounts (e.g. to contact the system administrator).

How should companies prepare for the revised PDPA regulations?

Companies should perform an assessment to identify databases and systems that utilise NRIC, foreign identification and work permit numbers. The process of identifying and replacing these personal identifier numbers should commence soon.

In addition, organisations must ensure that there are adequate security arrangements to prevent any unintended disclosure of the NRIC number and protect copies of the NRIC kept by the organisation.

Companies must also quickly perform a health check to ensure that their IT controls are robust enough to protect the security of personal data. They should start by asking the following questions:

• Is my firewall strong enough to prevent unauthorised access from the internet?
• Do my databases, servers and personal computers have the latest updates and patches?
• Have I performed a vulnerability assessment of my system?
• Can my antivirus software protect me from known malware and phishing threats?
• Are there mechanisms to control access to my data, such as strong passwords, two-factor authentication, granting of appropriate entitlements and/or control of privilege accounts?
• Is there an audit trail for me to investigate if there is a breach?
• Are users aware of the threats as well as their roles and responsibilities in protecting confidential information?
• Do I know how to handle the situation if there is a breach?
• Is a security policy available?
• Is my data encrypted in areas such as databases, thumb drives and portable hard drives?

What support programmes/grants can businesses tap into?

The Productivity Solutions Grant can help local SMEs to improve their personal data protection processes.

Who can I consult?

Our team of auditors and risk advisory specialists helps numerous clients in diverse industries to review their data protection processes and security controls. Contact us for assistance or enquiries.

SPEAK TO OUR EXPERTS:

Hoi Wai Khin, Partner, Risk Advisory 
T: +65 6594 7880 
[email protected]

Wendy Chua, Senior Manager, Risk Advisory 
T: +65 6594 7669 
[email protected]