Implementing Singapore’s New NRIC Advisory Guidelines

All Singapore citizens and permanent residents are issued with a National Registration Identity Card (NRIC) which displays personal data including their photo and fingerprint and their unique NRIC number. The NRIC serves as an identifying document: government administrators, employers, and private organisations may, where mandated by law, use the information on the card to verify customer or employee identities, and complete certain official processes.

The sensitive nature of information contained on the NRIC means that businesses and other private organisations must follow the strict data protection measures set out in Singapore’s Personal Data Protection Act (PDPA) and enforced by the Personal Data Protection Commission (PDPC). On 1 September 2019, the PDPC issued updated Advisory Guidelines on how to handle the collection of NRIC data to all organisations in Singapore.

In order to remain compliant, and ensure customer and employee data is safe, all Singapore businesses should be familiar with the new rules.

When Can You Collect NRIC Information?

Businesses must understand when it is appropriate, and permissible, to collect NRIC information. More specifically, PDPA regulations actually prohibit businesses from collecting, using, or disclosing NRIC numbers, unless:

• The NRIC number is legally required, or is subject to an exception in the Personal Data Protection Act, or;
• Businesses need to establish the identity of an individual to a high degree of accuracy.

As the Advisory Guidelines suggest, there are circumstances where employers can and should collect NRIC numbers. Mobile phone companies, for example, are required by law to comply with their licensing conditions, which means they need to collect NRIC identifying information to maintain subscriber registries. Similarly, the PDPA provides exceptions for data collection without consent: in medical emergencies, for example, if a patient is unconscious, NRIC data can be collected in order to provide vital information to doctors about pre-existing conditions and allergies.

Secondly, in situations where businesses need to establish someone’s identity with a high degree of accuracy, NRIC collection is permissible when failing to do so would create a safety or security risk, or potentially harm the individual or organisation. Healthcare facilities and airports are obvious settings for this type of NRIC verification, but it would also be necessary to verify a customer’s age, for example, when purchasing certain restricted items like alcohol and tobacco.

Using Alternative Identifiers

Given the compliance factors associated with NRIC data collection, the PDPC works to encourage the use of alternative means of identity verification. Common examples of NRIC alternatives include:

• Unique IDs generated by the business itself
• Tracking numbers
• Email addresses

Although compliance concerns aren’t as strict, the same personal data concerns that apply to NRICs should apply to their alternatives - meaning businesses should avoid over-collection and put sufficient security measures in place to protect the data they collect. That said, there are numerous verification scenarios where NRIC collection is prohibited and where alternative verification is both necessary and useful:

• Registering interest in upcoming product releases: While businesses aren’t allowed to collect NRIC numbers to track interest in upcoming products, customers could instead voluntarily submit mobile phone numbers, emails, and names to be kept informed.
• Online purchases of film, theatre, or event tickets: Businesses need to verify identities in order to issue tickets purchased online to the right customers. In this context, alternatives to NRIC collection include issuing booking reference numbers or sending SMS codes to customer phones.
• Residential security management: To provide security to residents in condominiums or similar domestic habitats, owners must often record the identities of visitors. As an alternative to NRIC collection, which would be prohibited in this context, owners might implement electronic, password-protected visitor management systems.

SG-Verify: Developed by Singapore’s Government Technology Agency, SG-Verify facilitates identity verification using QR codes scanned by the SingPass mobile app. SG-Verify was introduced in 2019 as an alternative to NRIC data collection and is particularly relevant to banks and financial services companies.

For more information on data protection, tax and social security in Singapore, explore activpayroll’s Global Insight Guide to Singapore.