1. hot news today•Thursday11July20134
As a best practice,
organisations should
avoid over-collecting
personal data, including
NRIC numbers, where this
is not required for their
business or legal purposes.
Personal Data Protection Commission
Businesses want more
clarity on Personal
Data Protection Act
Ashley Chia
ashley@mediacorp.com.sg
SINGAPORE — The newly-enacted Per-
sonal Data Protection Act (PDPA),
which requires individuals to be in-
formed and consent gained if organi-
sations are collecting personal data,
does not prescribe the circumstances
underwhichNRICnumbersshouldbe
provided — posing a conundrum for
some organisations here as they ad-
just their policies and practices.
The collection of NRIC numbers is
a common practice among a variety
of businesses here and those which
spoke to TODAY said it serves verifi-
cationandauditpurposestoascertain
a person’s identity and they would like
more clarity on the laws.
For example, telecommunications
companies need customers’ NRIC
numbers for regulatory requirements
and some businesses ask visitors for
NRICnumbersbeforetheyareallowed
to enter secured office premises.
Responding to TODAY’s queries,
a spokesperson for the Personal Data
Protection Commission (PDPC) said
it will be publishing the final adviso-
ry guidelines to organisations before
the end of this year. It had conducted
two public consultations — one ended
in April, the other last month — after
it published an initial set of advisory
guidelines on its website.
TheActdoesnotprescribethetype
of personal information an organisa-
tion can collect. Nevertheless, the PD-
PCguidelinessaid:“Asabestpractice,
organisations should avoid over-col-
lecting personal data, including NRIC
numbers,wherethisisnotrequiredfor
their business or legal purposes. Or-
ganisations should consider whether
there may be alternatives available
that address their requirements.”
TGIF Bazaars, the operator for
Sentosa’s Boardwalk Bazaars, said
it needed vendors to produce either
their NRIC, passport, Work Pass or
business registration numbers in or-
der to secure a booth.
Its spokesman pointed out that
these identification numbers are the
“only known ways” to validate the le-
gality of a vendor’s participation and
itis“apartofourresponsibility”tore-
questforsuchinformation.Thesenum-
bersmayalsobeneededforaccounting
and audit and may also be “required”
by the authorities here, he added.
SingTel said it had several ways to
verify the identity of its customers.
Act does not prescribe the type
of personal information
an organisation can collect
“At our shops, verification is done by
checking customers’ NRIC. Another
way is to send a one-time password
to customers’ mobile phone via SMS,”
said a company spokesperson.
While it does not share person-
al information with any third-party
organisations without consumers’
expressed permission, SingTel said
NRIC numbers are collected as part
ofregulatoryrequirementswhencus-
tomers subscribe to its services.
During the PDPC’s public consul-
tation in April, some companies also
called for the commission to provide
more clarity on the use and collection
of NRIC numbers. For example, the
Singapore Press Holdings asked for
clarification on whether an individu-
al can be refused entry into secured
office premises if they object to their
NRIC card being retained.
The PDPC had previously noted
that NRIC numbers are of “special
concern” to individuals as they are
unique to each person and are used
in many official transactions with
the Government.
Government agencies and statuto-
ry boards are excluded from the law
— which was passed in Parliament in
October last year — as they are gov-
erned by internal rules, most of which
have not been made public.
Organisations have 18 months to
adjust to the Act, between January
this year and July next year, when the
rules come into force.
Under the Act, organisations must
make “reasonable” security arrange-
ments to protect personal data in its
possession or under its control in or-
der to prevent unauthorised access,
collection, use, disclosure, copy-
ing, modification, disposal or “simi-
lar risks”.
The PDPC noted that there is no
“one size fits all” solution for organ-
isations to comply with the new law
andeachorganisationshouldconsider
adopting security arrangements that
are “reasonable and appropriate in
the circumstances”.
“Organisations such as TGIF Ba-
zaarsareadvisedtoreviewtheirproc-
esses that involve personal data, in-
cludingNRICnumbers,toensurethat
they comply with the PDPA when the
act comes into effect. There is no en-
forcement during the transition peri-
od,” the PDPC spokesperson said.
concern over COLLECTION OF NRIC NUMBERS