Suddenly noticed a stream of websites asking you to change your user-id? It was only 1 year ago when the Personal Data Protection Commission updated its guidelines regarding the collection and use of national identity cards. I described the previous rules as ridiculous_ — they reflect how orgnaisations use ID cards and numbers more than providing how organisations should use them.
Unsurprisingly, NRICs regularly appeared in the list of data lost in a data breach. The PDPC labelled them as sensitive data. Last year, the updated guidelines provided a definitive statement of how NRICs. Media coverage featured it heavily and organisations took notice. Helpfully the media also provided a reminder lately too.
The new rules reflect how use and collection NRIC numbers and cards should have been interpreted with respect to the Personal Data Protection Act. In summary there are only two legitimate basis to use such data:
- A written law provides that NRIC numbers and cards can be collected.
- Using a NRIC is necessary to verify the identity of its holder.
This is really quite strict, as it should have been in the first place. It is quite interesting to note what it outlaws:
- NRICs should not be used as an identification number in a private system
- NRICs cannot be used as collateral (such as for entering a building or renting bicycles).
It is also useful to note what it does not affect. Generally these are provided under fairly generous interpretations of statutory provisions under Singapore law. A good list is provided by the PDPC here. Some highlights include:
- Employee records
- Health records
- Collecting NRICs as a licensed moneylender
- Applying for a phone.
I also wrote an article for the IAPP. I argued that the NRIC guidelines showed increasing protection for personal data in Singapore, and how that points the way forward.
One can argue that NRIC numbers is just another piece of information. Sure, if users reverted to using NRIC numbers anyway, then all this is for nought. (This is possible for the dozens of websites that allow you to choose a new user identification. Why not pick the old one?)
It is not even clear whether NRIC numbers, or even sensitive data, nets you greater fines or increased negative publicity. This might really be an exercise in fixing what was one of the weaker areas in the PDPC’s official guidelines.
However, I would still argue that this is still an exciting development. Like the GDPR, its punishment may not be obvious now. But then, a culture of protecting personal data is starting to take root in Singapore, and that is still worth its weight.