Skip to main content

Advertisement

Advertisement

Businesses want more clarity on Personal Data Protection Act

SINGAPORE — The newly-enacted Personal Data Protection Act (PDPA), which requires individuals to be informed and consent gained if organisations are collecting personal data, does not prescribe the circumstances under which NRIC numbers should be provided — posing a conundrum for some organisations here as they adjust their policies and practices.

Central Business District skyline. Photo: Ernest Chua

Central Business District skyline. Photo: Ernest Chua

Follow TODAY on WhatsApp

SINGAPORE — The newly-enacted Personal Data Protection Act (PDPA), which requires individuals to be informed and consent gained if organisations are collecting personal data, does not prescribe the circumstances under which NRIC numbers should be provided — posing a conundrum for some organisations here as they adjust their policies and practices.

The collection of NRIC numbers is a common practice among a variety of businesses here and those which spoke to TODAY said it serves verification and audit purposes to ascertain a person’s identity and they would like more clarity on the laws.

For example, telecommunications companies need customers’ NRIC numbers for regulatory requirements and some businesses ask visitors for NRIC numbers before they are allowed to enter secured office premises.

Responding to TODAY’s queries, a spokesperson for the Personal Data Protection Commission (PDPC) said it will be publishing the final advisory guidelines to organisations before the end of this year. It had conducted two public consultations — one ended in April, the other last month — after it published an initial set of advisory guidelines on its website.

The Act does not prescribe the type of personal information an organisation can collect. Nevertheless, the PDPC guidelines said: “As a best practice, organisations should avoid over-collecting personal data, including NRIC numbers, where this is not required for their business or legal purposes. Organisations should consider whether there may be alternatives available that address their requirements.”

TGIF Bazaars, the operator for Sentosa’s Boardwalk Bazaars, said it needed vendors to produce either their NRIC, passport, Work Pass or business registration numbers in order to secure a booth.

Its spokesman pointed out that these identification numbers are the “only known ways” to validate the legality of a vendor’s participation and it is “a part of our responsibility” to request for such information. These numbers may also be needed for accounting and audit and may also be “required” by the authorities here, he added.

SingTel said it had several ways to verify the identity of its customers. “At our shops, verification is done by checking customers’ NRIC. Another way is to send a one-time password to customers’ mobile phone via SMS,” said a company spokesperson.

While it does not share personal information with any third-party organisations without consumers’ expressed permission, SingTel said NRIC numbers are collected as part of regulatory requirements when customers subscribe to its services.

During the PDPC’s public consultation in April, some companies also called for the commission to provide more clarity on the use and collection of NRIC numbers. For example, the Singapore Press Holdings asked for clarification on whether an individual can be refused entry into secured office premises if they object to their NRIC card being retained.

The PDPC had previously noted that NRIC numbers are of “special concern” to individuals as they are unique to each person and are used in many official transactions with the Government.

Government agencies and statutory boards are excluded from the law — which was passed in Parliament in October last year — as they are governed by internal rules, most of which have not been made public.

Organisations have 18 months to adjust to the Act, between January this year and July next year, when the rules come into force.

Under the Act, organisations must make “reasonable” security arrangements to protect personal data in its possession or under its control in order to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or “similar risks”.

The PDPC noted that there is no “one size fits all” solution for organisations to comply with the new law and each organisation should consider adopting security arrangements that are “reasonable and appropriate in the circumstances”.

“Organisations such as TGIF Bazaars are advised to review their processes that involve personal data, including NRIC numbers, to ensure that they comply with the PDPA when the act comes into effect. There is no enforcement during the transition period,” the PDPC spokesperson said.

Read more of the latest in

Advertisement

Advertisement

Stay in the know. Anytime. Anywhere.

Subscribe to get daily news updates, insights and must reads delivered straight to your inbox.

By clicking subscribe, I agree for my personal data to be used to send me TODAY newsletters, promotional offers and for research and analysis.