Singapore ramps up data protection requirements around identity cards

Data – legislative reform, consumer concern, regulatory inquiry, and corporate compliance, among other things, have prompted a review of organisations' internal policies and procedures.

How we collect, use and disclose data is changing globally; its enforcement a concern for those affected. International legislative transformation and consolidation, such as the introduction of the GDPR, demonstrates that reform is afoot. Developments in Singapore exemplify this momentum.

In February 2018, Singapore joined the APEC Cross Border Privacy Rules System, making it the sixth APEC country to do so. In the same month, a Cybersecurity Bill was passed, which introduced a framework for the regulation of providers of critical information infrastructure – certain parts of the resulting Act (Cybersecurity Act 2018) came into force in August 2018.

On the same day, new guidance (the Guidelines) was released by the Personal Data Protection Commission on National Registration Identification Cards (NRICs), the identity card for Singapore citizens and permanent residents.

When issued with an NRIC, Singapore citizens and permanent residents are assigned a unique number (an NRIC number) by the Government.

NRIC numbers are used in Singapore by individuals, both in their engagement with the government, as well as in commercial transactions (for example, NRIC numbers have been required for purchases as mundane as online cinema ticket bookings).

The NRIC number is clearly marked on an individual's NRIC card, together with the individual's full name, race, sex, date of birth, country of birth, address, and thumb print.

An NRIC number does not change and is not easily replaced. It is a unique identifier; a marker of an individual's sensitive personal information.

In light of these factors, NRICs have been identified by the Commission as requiring a greater level of security and protection than other forms of personal information.

The Guidelines set out the manner in which NRICs should be treated, under the Personal Data Protection Act (PDPA).

Organisations have until 1 September 2019 to comply, with fines for breaching the PDPA of up to SGD$1 million.

Collection, use and disclosure of NRICs: the general principle

The collection of NRICs or NRIC numbers provides an organisation with access to an individual's sensitive personal information.

Indiscriminate collection or negligent handling of NRICs can therefore increase the risk of unintended disclosure which could lead to identity theft or fraud.

In recognition of this, the Guidelines state that, as a general proposition, organisations should not collect, use or disclose NRICs or NRIC numbers.

Collection of NRICs and NRIC numbers is to be the exception rather than the rule.

Furthermore, organisations should generally not retain an individual's physical NRIC unless such retention is required under the law.

However, the Commission sets out two broad circumstances in which NRICs may be collected, used and disclosed, namely where:

1. it is required under the law (or an exception under the PDPA applies); and
2. it is necessary to accurately establish or verify the identities of individuals to a high degree of fidelity.

The Guidelines provide that the same treatment should be afforded to birth certificate numbers, foreign identification numbers and work permit numbers.

Although passport numbers differ from NRIC numbers, as they are changed on a periodic basis, the Guidelines note that similar protections should be afforded for these documents, reflecting the corresponding risk that passport numbers may pose in respect of identity fraud.

In particular, where there is a need to collect passport numbers, entities should limit such collection to a segment of the passport number and put into place appropriate levels of security to protect the number.

Circumstance 1: NRICs are required under the law

The Commission acknowledges that there will be circumstances in which NRICs are required to be collected under the law. It provides a non-exhaustive list of examples, including when:

• seeking medical treatment at a general practitioner clinic;
• a new employee is joining an organisation; and
• subscribing to a mobile telephone line.

Certain exceptions under the PDPA may also apply, including where disclosure of NRIC numbers is made in an emergency situation.

Circumstances where NRICs are not required include participating in surveys, renting a bicycle, and although NRICs are required when employees join a company, they are not required (by law) for job applications.

Circumstance 2: Individuals need to be verified to a high degree of fidelity

NRIC details may be collected, used or disclosed in circumstances where failure to establish or verify an individual's identity will either pose a significant safety or security risk, or where a higher degree of fidelity is required and a failure to achieve the same poses a risk of significant impact or harm to an individual or an organisation.

Alternatives to collection, use and disclosure of NRICs and NRIC numbers

In the Guidelines, the Commission has set out a number of alternatives to collecting NRICs/NRIC numbers.

One such example is the collection of partial NRIC numbers. A number will be a partial NRIC number when it consists of only the last three numerical digits and a checksum of the NRIC number, though this is still personal data and needs to be treated in accordance with the PDPA.

Other examples provided include the collection of mobile phone numbers or email addresses, or for entities to generate their own individual identifier codes.

Maintaining a competitive edge

As a hub for international business transactions and a centre where many multinationals choose to establish their main regional presence, Singapore is determined to remain a regional leader for data protection standards.

The need for a strong data protection regime is only set to increase as the digital economy advances, with one estimate suggesting that the e-commerce market in the top six ASEAN countries will be valued at approximately US$90 billion by 2025 (in 2015, it was valued at US$5 billion).

The introduction of the Guidelines is indicative of the Commission's continuing commitment to strengthening the data privacy protections that are currently in place in the country.

The Guidelines bear resemblances to the Hong Kong Privacy Commissioner for Personal Data's Code of Practice on the collection of Hong Kong Identity Cards, revised in 2016.

Both compliance frameworks impose a substantive limit on the circumstances in which organisations may insist on the collection of an official identifier.

In view of the potential fines mentioned above, organisations need to ensure that they are aware of what local and international legislative requirements they are subject to, and to amend their policies, systems and procedures accordingly and regularly review their data processing practices.

Next steps

Please contact us if you would like to learn more about the requirements or how we can help you meet them.