I mentioned in a previous post that I was looking to submit a comment for a consultation on data protection regarding National Identity Cards (NRICs), but due to work commitments and a sudden streak of perfectionism, I was not happy with the text in time for the deadline.
Perhaps if there was an extended deadline…
Anyway, the points I wanted to make were as follows:
- Using a “legal requirement” is bad justification and isn’t likely to satisfy discerning individuals.
- Organisations should as far as possible, use on-sight verification instead of retaining copies of NRICs, and the guidelines should give more emphasis on this
- NRICs should be classified as a sensitive data.
My general opinion on the situation is that if an organisation considers seriously whether it needs to see the NRIC and what are the alternatives it could consider, there are very few use cases that really require an NRIC. If anything, the widespread use of NRICs is largely a result of sheer convenience and a lack of concern on the part of organisations to the risks of over-collecting such information. Singaporeans are a law abiding bunch (perhaps too much), and it is time organisations repaid the trust by not doing things that would harm them.
So if the first guidelines were ridiculous when it wilted in its recognition of the realities on the ground, the revised guidelines are only mildly better. Since the guidelines should contain best practices and aspirational advice, it befuddles me why the guidelines bend backwards to give in to reality.1
Anyway, it is not clear whether the use of NRICs would be as prevalent in future. With a digital identity being discussed as a smart nation initiative, the main benefit of the NRIC as the definitive document of identity in Singapore will have alternatives. I do hope that GovTech can design a system that can authenticate for private organisations.
I do recognise that just because there is a better solution out there does not mean that more people would use them. However, having a superior alternative should give the PDPC more ammunition to come harder on organisations. They might even spurn more to adopt such superior solutions.
The point is that the PDPC should be far more strict, since there is wide-spread agreement on the importance of NRICs. Perhaps, that would happen in the third iteration of these guidelines.
There might be a tempting argument that recognizing reality is important as having very strict rules would mean several organisations would run afoul of them. I am not so sympathetic. First, there is going to be a 1-year grace period. Second, I have never seen an enforcement decision cite a guideline as the basis of imposing a penalty. The PDPC takes the notion that the guidelines are not binding on their enforcement decisions very seriously. ↩︎