Businesses want more clarity on Personal Data Protection Act
SINGAPORE — The newly-enacted Personal Data Protection Act (PDPA), which requires individuals to be informed and consent gained if organisations are collecting personal data, does not prescribe the circumstances under which NRIC numbers should be provided — posing a conundrum for some organisations here as they adjust their policies and practices.
The collection of NRIC numbers is a common practice among a variety of businesses here and those which spoke to TODAY said it serves verification and audit purposes to ascertain a person’s identity and they would like more clarity on the laws.
For example, telecommunications companies need customers’ NRIC numbers for regulatory requirements and some businesses ask visitors for NRIC numbers before they are allowed to enter secured office premises.
Responding to TODAY’s queries, a spokesperson for the Personal Data Protection Commission (PDPC) said it will be publishing the final advisory guidelines to organisations before the end of this year. It had conducted two public consultations — one ended in April, the other last month — after it published an initial set of advisory guidelines on its website.
The Act does not prescribe the type of personal information an organisation can collect. Nevertheless, the PDPC guidelines said: “As a best practice, organisations should avoid over-collecting personal data, including NRIC numbers, where this is not required for their business or legal purposes. Organisations should consider whether there may be alternatives available that address their requirements.”
TGIF Bazaars, the operator for Sentosa’s Boardwalk Bazaars, said it needed vendors to produce either their NRIC, passport, Work Pass or business registration numbers in order to secure a booth.
Its spokesman pointed out that these identification numbers are the “only known ways” to validate the legality of a vendor’s participation and it is “a part of our responsibility” to request for such information. These numbers may also be needed for accounting and audit and may also be “required” by the authorities here, he added.
SingTel said it had several ways to verify the identity of its customers. “At our shops, verification is done by checking customers’ NRIC. Another way is to send a one-time password to customers’ mobile phone via SMS,” said a company spokesperson.
While it does not share personal information with any third-party organisations without consumers’ expressed permission, SingTel said NRIC numbers are collected as part of regulatory requirements when customers subscribe to its services.
During the PDPC’s public consultation in April, some companies also called for the commission to provide more clarity on the use and collection of NRIC numbers. For example, the Singapore Press Holdings asked for clarification on whether an individual can be refused entry into secured office premises if they object to their NRIC card being retained.