Singapore Regulator Issues NRIC Data Protection Reminder

Singapore’s National Registration Identity Card was introduced in 1965 by the National Registration Act as a way to identify every citizen or permanent resident within the city-state and facilitate certain official processes and transactions. The information on the card, pertaining to its holder, has changed since its introduction but it currently includes their photograph along with their:

• Name
• Race
• Date of birth
• Sex
• Country of birth
• Fingerprint

Importantly, the card includes the holder’s NRIC number (a unique sequence of 9 letters or digits), and an accompanying barcode. Certain long-term Singapore residents, such as ex-pat employees or students, also have their nationality displayed on the card and, like natural-born Singapore citizens, are issued a plastic version of the card which may be carried conveniently on their person.

Data Protection Concerns

NRIC numbers offer a way for both government and private organisations to retrieve official information about their holders and so are often used by employers and businesses in Singapore to verify the identity of customers or employees. However, given the sensitive nature of NRIC information, there are regulations in place to prevent the indiscriminate or unjustified collection, and negligent handling, of NRIC numbers.

With that concern in mind, Singapore’s Personal Data Protection Commission (PDPC) works to ensure those regulations are followed by organisations within the city - and so issues periodic advisory guidelines to remind businesses of their obligations towards personal information. In August 2018, a new set of NRIC Advisory Guidelines (NRIC AG) was issued: the PDPC gave organisations within Singapore a year to prepare for the guidelines’ introduction on 1 September 2019.

2019 Advisory Guidelines

The PDPC’s September 2019 guidelines remind organisations not to indiscriminately collect, store or pass on NRIC numbers. The new guidelines include updated advice for private sector organisations which may only collect NRIC numbers under certain circumstances. Given the sensitivity of the data involved, and the potential for fines of up to S$1 million for compliance breaches, it’s important that businesses in Singapore understand how to handle NRIC number collection.

The New NRIC Collection Guidelines

Under the 2019 guidelines, private sector organisations may only collect NRIC numbers if:

• They are required to by law, or;
• Must establish someone’s identity to a high degree of accuracy

The guidelines also prohibit businesses from retaining the physical NRIC itself - unless that step is required by law. Businesses may check the physical NRIC, but only if that step is necessary to verify specific information on the card. In situations where the NRIC card is physically retained, businesses must ensure that adequate protection measures are in place to safeguard the personal data on it. Details on those measures are set out in the Personal Data Protection Act.

Alternative Means of Verification

The PDPC is encouraging businesses to use alternative means of identity verification to help avoid the compliance issues associated with the NRIC - that approach includes using enhanced security measures such as two-factor authentication. Introduced in 2019, SG-Verify is a popular NRIC alternative: as part of the SingPass mobile system, SG-Verify enables a faster identity check process by incorporating QR code scanning.

NRIC AG Compliance Resources

A number of resources are available to help businesses comply with the regulations set out in the PDPC guidelines:

• A technical guide to alternative identity verification measures which can replace NRIC collection. SG-Verify is included in the latest version of the guide.
• Solutions for visitor management, point of sale, and relationship management verification - the solutions are pre-approved and included in the SME Portal Tech Depot.
• Visitor Management template notices for commercial and residential buildings.

The PDPC also maintains a list of frequently asked questions to help businesses and other organisations navigate their NRIC compliance obligations. The FAQs include options for alternative identifiers, and a list of relevant NRIC legislation.

Although the PDPC often focuses publicly on the NRIC, its personal data protection guidelines apply to all types of identifying documentation, including Birth Certificate, Foreign Identification, and Work Permit numbers, and, in some contexts, passport numbers.

For more information on Singapore’s compliance rules and regulations, tax, and payroll, consult activpayroll’s Singapore Global Insight Guide.