Love.Law.Robots. is moving!
You're browsing the original version of the Love.Law.Robots. Check out the new site. It's prettier and packs loads of new features!
Updated NRIC Guidelines Released
`The Personal Data Protection Commission has released its finalised advisory on the Personal Data Protection Act for NRIC Numbers. NRICs are the national identity card system in Singapore, which is a unique identifier assigned by the Government to each Singapore resident which is frequently used as a required document or identified and transaction with the government. Due to its importance and ubiquity, the NRIC has been liberally used by anyone or everyone as some kind of collateral or unique identifier. This should change now.
While there are some edits to the proposed guidelines released during the public consultation, the PDPC has generally stuck to their original principles: Organisation may only collect, use or disclose NRIC Numbers in the following circumstances
- Collection, use or disclosure of NRIC numbers (or copies of NRIC) is required under the law (or an exception under the PDPA applies); or
- Collection, use or disclosure of NRIC numbers (or copies of NRIC) is necessary to accurately establish or verify the identities of the individuals to a high degree of fidelity.
It is important at this juncture to note how ridiculous the original advisory and applaud the PDPC for sticking to the high standards proposed. Your SMSes must have helped!
However, probing the issue reveals that there are limitations to what the PDPC can propose within the framework of the Personal Data Protection Act.
For example, it is not rocket science that other legislation trumps the PDPA. The PDPC says so itself in footnote 11 of the guidelines:
Section 13(b) of the PDPA provides that an organisation shall not collect, use or disclose personal data unless with the individual’s consent or if the collection, use or disclosure without consent is required or authorised under the PDPA or any other written law. Section 4(6) of the PDPA states that unless otherwise provided in the PDPA, nothing in Parts III to VI of the PDPA shall affect any authority, right, privilege or immunity conferred, or obligation or limitation imposed, by or under the law, including legal privilege, except that the performance of a contractual obligation shall not be an excuse for contravening the PDPA, and the provisions of other written law shall prevail to the extent that any provision of Parts III to VI is inconsistent with the provisions of that other written law.
So if the law states that you have to collect NRIC, the PDPA is not an excuse to avoid it.
Furthermore, since the PDPA excludes public agencies and organisations acting on their behalf, the PDPA does not apply to such activities (as the PDPC helpfully points out in response to concerns about them). That is a pretty huge gaping hole in the data protection regime. The PDPC assures us by stating (without much details) that the Government will review its processes to ensure that public agencies limit the use of NRIC numbers.
So if the first limb is really an explanation of how the PDPA is excluded from several kinds of activities, then what about the second limb? Compared to the original advisory which advised that NRIC numbers can be collected and used “for reasonable purposes for which consent has been obtained validly under the PDPA”, this could be considered the biggest change.
However, one question is what (if any) impact does breaching the guidelines have? There may be some indication that the unauthorised disclosure of NRIC numbers is presented in published decisions as an aggravating factor in determining penalties, but there are no guidelines considering how this is applied in fact. Furthermore, unlike the GDPR, the PDPA does not have a cateogry of “sensitive” personal data.
There is only so much guidelines from PDPC can do in furthering personal data protection in Singapore, and without more extensive changes to the underlying statutory regime, Singaporeans should not hold out hope that the situation would improve much further than this.