Skip to main content

Advertisement

Advertisement

Retailers should be held accountable for data breaches if they collect consumers’ NRIC numbers, personal data

The recent cyber attack on SingHealth's IT system and the data breach disclosed by the Securities Investors Association Singapore — which, shockingly, came to light only five years later — have demonstrated the importance of safeguarding personal data, and especially highly sensitive personal data that is of great value in the black market.

Retailers should be held accountable for data breaches if they collect consumers’ NRIC numbers, personal data
Charlotte Tan Guan Ling

The recent cyber attack on SingHealth's IT system and the data breach disclosed by the Securities Investors Association Singapore — which, shockingly, came to light only five years later — have demonstrated the importance of safeguarding personal data, and especially highly sensitive personal data that is of great value in the black market.

Despite this, some retailers continue to use customers' national registration identity card (NRIC) numbers in lieu of other unique identifiers for their activities, even when there is no need to verify an individual's identity to such a high degree of accuracy.

Given that the NRIC number is a permanent and irreplaceable identifier which has significant consequences for an individual if misused for illicit purposes, it should not be casually used by retailers as a convenient and cost-saving alternative to generating unique identifiers.

Consumers rarely have a say in the data protection measures of retailers who opt to use NRIC numbers in their membership systems, but they bear the risk and damage should these systems be compromised by a technical malfunction or a malicious cyber attack.

It might seem innocuous, but a careless act by an employee can pose a risk to data security, especially when service crew working at the front-end are often required to access customer membership accounts for the purpose of updating membership privileges and contacting members.

Once personal data has been leaked and traded, it cannot be recovered, so retailers should be held accountable for such breaches if they opt to collect it from consumers.

In particular, retailers in possession of highly sensitive personal data should be held to a higher standard than those who are not.

One possible solution is to require such retailers to obtain the Data Protection Trustmark certification, failing which they would be required to destroy all sensitive personal particulars in their system.

Another alternative would be to require retailers collecting NRIC numbers or other sensitive information to provide satisfactory justification for such collection to the Personal Data Protection Commission.

Regardless of the approach taken, it is critical that retailers take data security seriously by implementing the necessary measures.

This would provide consumers with some assurance that there are adequate safeguards in place to protect their personal data.

Read more of the latest in

Advertisement

Popular

Advertisement

Stay in the know. Anytime. Anywhere.

Subscribe to get daily news updates, insights and must reads delivered straight to your inbox.

By clicking subscribe, I agree for my personal data to be used to send me TODAY newsletters, promotional offers and for research and analysis.