SlideShare a Scribd company logo

Businesses want more clarity on pdpa

Allen Wan
Allen Wan

Privacy Protection

1 of 1
Download to read offline
hot news today•Thursday11July20134 As a best practice, organisations should avoid over-collecting personal data, including NRIC numbers, where this is not required for their business or legal purposes. Personal Data Protection Commission Businesses want more clarity on Personal Data Protection Act Ashley Chia ashley@mediacorp.com.sg SINGAPORE — The newly-enacted Per- sonal Data Protection Act (PDPA), which requires individuals to be in- formed and consent gained if organi- sations are collecting personal data, does not prescribe the circumstances underwhichNRICnumbersshouldbe provided — posing a conundrum for some organisations here as they ad- just their policies and practices. The collection of NRIC numbers is a common practice among a variety of businesses here and those which spoke to TODAY said it serves verifi- cationandauditpurposestoascertain a person’s identity and they would like more clarity on the laws. For example, telecommunications companies need customers’ NRIC numbers for regulatory requirements and some businesses ask visitors for NRICnumbersbeforetheyareallowed to enter secured office premises. Responding to TODAY’s queries, a spokesperson for the Personal Data Protection Commission (PDPC) said it will be publishing the final adviso- ry guidelines to organisations before the end of this year. It had conducted two public consultations — one ended in April, the other last month — after it published an initial set of advisory guidelines on its website. TheActdoesnotprescribethetype of personal information an organisa- tion can collect. Nevertheless, the PD- PCguidelinessaid:“Asabestpractice, organisations should avoid over-col- lecting personal data, including NRIC numbers,wherethisisnotrequiredfor their business or legal purposes. Or- ganisations should consider whether there may be alternatives available that address their requirements.” TGIF Bazaars, the operator for Sentosa’s Boardwalk Bazaars, said it needed vendors to produce either their NRIC, passport, Work Pass or business registration numbers in or- der to secure a booth. Its spokesman pointed out that these identification numbers are the “only known ways” to validate the le- gality of a vendor’s participation and itis“apartofourresponsibility”tore- questforsuchinformation.Thesenum- bersmayalsobeneededforaccounting and audit and may also be “required” by the authorities here, he added. SingTel said it had several ways to verify the identity of its customers. Act does not prescribe the type of personal information an organisation can collect “At our shops, verification is done by checking customers’ NRIC. Another way is to send a one-time password to customers’ mobile phone via SMS,” said a company spokesperson. While it does not share person- al information with any third-party organisations without consumers’ expressed permission, SingTel said NRIC numbers are collected as part ofregulatoryrequirementswhencus- tomers subscribe to its services. During the PDPC’s public consul- tation in April, some companies also called for the commission to provide more clarity on the use and collection of NRIC numbers. For example, the Singapore Press Holdings asked for clarification on whether an individu- al can be refused entry into secured office premises if they object to their NRIC card being retained. The PDPC had previously noted that NRIC numbers are of “special concern” to individuals as they are unique to each person and are used in many official transactions with the Government. Government agencies and statuto- ry boards are excluded from the law — which was passed in Parliament in October last year — as they are gov- erned by internal rules, most of which have not been made public. Organisations have 18 months to adjust to the Act, between January this year and July next year, when the rules come into force. Under the Act, organisations must make “reasonable” security arrange- ments to protect personal data in its possession or under its control in or- der to prevent unauthorised access, collection, use, disclosure, copy- ing, modification, disposal or “simi- lar risks”. The PDPC noted that there is no “one size fits all” solution for organ- isations to comply with the new law andeachorganisationshouldconsider adopting security arrangements that are “reasonable and appropriate in the circumstances”. “Organisations such as TGIF Ba- zaarsareadvisedtoreviewtheirproc- esses that involve personal data, in- cludingNRICnumbers,toensurethat they comply with the PDPA when the act comes into effect. There is no en- forcement during the transition peri- od,” the PDPC spokesperson said. concern over COLLECTION OF NRIC NUMBERS

Recommended

California Consumer Privacy Act and the Role of IAM
California Consumer Privacy Act and the Role of IAMCalifornia Consumer Privacy Act and the Role of IAM
California Consumer Privacy Act and the Role of IAMWSO2
 
California Consumer Privacy Act: What your brand needs to know
California Consumer Privacy Act: What your brand needs to knowCalifornia Consumer Privacy Act: What your brand needs to know
California Consumer Privacy Act: What your brand needs to knowOgilvy Health
 
Acc 675 control audit final project
Acc 675 control audit final projectAcc 675 control audit final project
Acc 675 control audit final projectKelly Giambra
 
Data privacy presentation
Data privacy presentationData privacy presentation
Data privacy presentationTravers Morgan
 
California Consumer Privacy Act - What You Need To Know
California Consumer Privacy Act - What You Need To KnowCalifornia Consumer Privacy Act - What You Need To Know
California Consumer Privacy Act - What You Need To KnowTokenEx
 
Privacy, Policy, and Encryption
Privacy, Policy, and EncryptionPrivacy, Policy, and Encryption
Privacy, Policy, and Encryptionaccessnowinc
 
California's Tough New Privacy Law is Here. Are You Ready?
California's Tough New Privacy Law is Here. Are You Ready?California's Tough New Privacy Law is Here. Are You Ready?
California's Tough New Privacy Law is Here. Are You Ready?Affiliate Summit
 
Noctress Presentation
Noctress PresentationNoctress Presentation
Noctress Presentationnoctress
 

Recommended

California Consumer Privacy Act and the Role of IAM
California Consumer Privacy Act and the Role of IAMCalifornia Consumer Privacy Act and the Role of IAM
California Consumer Privacy Act and the Role of IAMWSO2
 
California Consumer Privacy Act: What your brand needs to know
California Consumer Privacy Act: What your brand needs to knowCalifornia Consumer Privacy Act: What your brand needs to know
California Consumer Privacy Act: What your brand needs to knowOgilvy Health
 
Acc 675 control audit final project
Acc 675 control audit final projectAcc 675 control audit final project
Acc 675 control audit final projectKelly Giambra
 
Data privacy presentation
Data privacy presentationData privacy presentation
Data privacy presentationTravers Morgan
 
California Consumer Privacy Act - What You Need To Know
California Consumer Privacy Act - What You Need To KnowCalifornia Consumer Privacy Act - What You Need To Know
California Consumer Privacy Act - What You Need To KnowTokenEx
 
Privacy, Policy, and Encryption
Privacy, Policy, and EncryptionPrivacy, Policy, and Encryption
Privacy, Policy, and Encryptionaccessnowinc
 
California's Tough New Privacy Law is Here. Are You Ready?
California's Tough New Privacy Law is Here. Are You Ready?California's Tough New Privacy Law is Here. Are You Ready?
California's Tough New Privacy Law is Here. Are You Ready?Affiliate Summit
 
Noctress Presentation
Noctress PresentationNoctress Presentation
Noctress Presentationnoctress
 
CCPA comments by Prifina
CCPA comments by PrifinaCCPA comments by Prifina
CCPA comments by Prifinaprifina
 
Ccpa serviceproviders whitepaper_dec2019
Ccpa serviceproviders whitepaper_dec2019Ccpa serviceproviders whitepaper_dec2019
Ccpa serviceproviders whitepaper_dec2019Sonia Baldia
 
What Is E Commerce
What Is E CommerceWhat Is E Commerce
What Is E CommerceEd Dickinson
 
2019 04-17 10 steps to ccpa compliance
2019 04-17 10 steps to ccpa compliance2019 04-17 10 steps to ccpa compliance
2019 04-17 10 steps to ccpa complianceTrustArc
 
Legal Aspect Pertaining to E-commerce
Legal Aspect Pertaining to E-commerceLegal Aspect Pertaining to E-commerce
Legal Aspect Pertaining to E-commercePrince Sharma
 
Electronic Communications Act (2000)
Electronic Communications Act (2000)Electronic Communications Act (2000)
Electronic Communications Act (2000)Ed Dickinson
 
Top Questions Asked About the CCPA
Top Questions Asked About the CCPATop Questions Asked About the CCPA
Top Questions Asked About the CCPARyan Foster
 
Common Data Protection Issues in Managing M&A Deals
Common Data Protection Issues in Managing M&A DealsCommon Data Protection Issues in Managing M&A Deals
Common Data Protection Issues in Managing M&A DealsMatheson Law Firm
 
Protecting your business
Protecting your businessProtecting your business
Protecting your businessExisto Communications and Socio-Technologies
 
Gigya's China Data Center - Data Sheet
Gigya's China Data Center - Data SheetGigya's China Data Center - Data Sheet
Gigya's China Data Center - Data SheetGigya
 
Hey that's my client! Protecting client lists and confidential information wh...
Hey that's my client! Protecting client lists and confidential information wh...Hey that's my client! Protecting client lists and confidential information wh...
Hey that's my client! Protecting client lists and confidential information wh...Mike Fourcher
 
Quality and accuracy of data in the companies register: FTS of Russia experience
Quality and accuracy of data in the companies register: FTS of Russia experienceQuality and accuracy of data in the companies register: FTS of Russia experience
Quality and accuracy of data in the companies register: FTS of Russia experienceCorporate Registers Forum
 
Viñeta música 2
Viñeta música 2Viñeta música 2
Viñeta música 2Luisa Crew
 
Diagnóstico institucional en el campo de las tic
Diagnóstico institucional en el campo de las ticDiagnóstico institucional en el campo de las tic
Diagnóstico institucional en el campo de las ticEfrain Prado Angulo
 
Top 8 loan counselor resume samples
Top 8 loan counselor resume samplesTop 8 loan counselor resume samples
Top 8 loan counselor resume samplesridewshapo
 
Lc sdx32 d
Lc sdx32 dLc sdx32 d
Lc sdx32 dJang Cheol Ho
 
Sheet1
Sheet1Sheet1
Sheet1Diana Morales
 
Now ho medics mcs 200h shiatsu massage cushion
Now ho medics mcs 200h shiatsu massage cushionNow ho medics mcs 200h shiatsu massage cushion
Now ho medics mcs 200h shiatsu massage cushionRoadOnlineShop33
 
Programa
ProgramaPrograma
ProgramaEfrain Prado Angulo
 
2015-2016 inbound certificate
2015-2016 inbound certificate2015-2016 inbound certificate
2015-2016 inbound certificateMatthew Cantwell
 
Horner Downey & Co Newsletter- GDPR
Horner Downey & Co Newsletter- GDPRHorner Downey & Co Newsletter- GDPR
Horner Downey & Co Newsletter- GDPRJenny Ferguson
 
Data Security: A field guide for franchisors
Data Security: A field guide for franchisorsData Security: A field guide for franchisors
Data Security: A field guide for franchisorsGrant Thornton LLP
 

More Related Content

What's hot

CCPA comments by Prifina
CCPA comments by PrifinaCCPA comments by Prifina
CCPA comments by Prifinaprifina
 
Ccpa serviceproviders whitepaper_dec2019
Ccpa serviceproviders whitepaper_dec2019Ccpa serviceproviders whitepaper_dec2019
Ccpa serviceproviders whitepaper_dec2019Sonia Baldia
 
What Is E Commerce
What Is E CommerceWhat Is E Commerce
What Is E CommerceEd Dickinson
 
2019 04-17 10 steps to ccpa compliance
2019 04-17 10 steps to ccpa compliance2019 04-17 10 steps to ccpa compliance
2019 04-17 10 steps to ccpa complianceTrustArc
 
Legal Aspect Pertaining to E-commerce
Legal Aspect Pertaining to E-commerceLegal Aspect Pertaining to E-commerce
Legal Aspect Pertaining to E-commercePrince Sharma
 
Electronic Communications Act (2000)
Electronic Communications Act (2000)Electronic Communications Act (2000)
Electronic Communications Act (2000)Ed Dickinson
 
Top Questions Asked About the CCPA
Top Questions Asked About the CCPATop Questions Asked About the CCPA
Top Questions Asked About the CCPARyan Foster
 
Common Data Protection Issues in Managing M&A Deals
Common Data Protection Issues in Managing M&A DealsCommon Data Protection Issues in Managing M&A Deals
Common Data Protection Issues in Managing M&A DealsMatheson Law Firm
 
Gigya's China Data Center - Data Sheet
Gigya's China Data Center - Data SheetGigya's China Data Center - Data Sheet
Gigya's China Data Center - Data SheetGigya
 
Hey that's my client! Protecting client lists and confidential information wh...
Hey that's my client! Protecting client lists and confidential information wh...Hey that's my client! Protecting client lists and confidential information wh...
Hey that's my client! Protecting client lists and confidential information wh...Mike Fourcher
 
Quality and accuracy of data in the companies register: FTS of Russia experience
Quality and accuracy of data in the companies register: FTS of Russia experienceQuality and accuracy of data in the companies register: FTS of Russia experience
Quality and accuracy of data in the companies register: FTS of Russia experienceCorporate Registers Forum
 

What's hot (12)

CCPA comments by Prifina
CCPA comments by PrifinaCCPA comments by Prifina
CCPA comments by Prifina
 
Ccpa serviceproviders whitepaper_dec2019
Ccpa serviceproviders whitepaper_dec2019Ccpa serviceproviders whitepaper_dec2019
Ccpa serviceproviders whitepaper_dec2019
 
What Is E Commerce
What Is E CommerceWhat Is E Commerce
What Is E Commerce
 
2019 04-17 10 steps to ccpa compliance
2019 04-17 10 steps to ccpa compliance2019 04-17 10 steps to ccpa compliance
2019 04-17 10 steps to ccpa compliance
 
Legal Aspect Pertaining to E-commerce
Legal Aspect Pertaining to E-commerceLegal Aspect Pertaining to E-commerce
Legal Aspect Pertaining to E-commerce
 
Electronic Communications Act (2000)
Electronic Communications Act (2000)Electronic Communications Act (2000)
Electronic Communications Act (2000)
 
Top Questions Asked About the CCPA
Top Questions Asked About the CCPATop Questions Asked About the CCPA
Top Questions Asked About the CCPA
 
Common Data Protection Issues in Managing M&A Deals
Common Data Protection Issues in Managing M&A DealsCommon Data Protection Issues in Managing M&A Deals
Common Data Protection Issues in Managing M&A Deals
 
Protecting your business
Protecting your businessProtecting your business
Protecting your business
 
Gigya's China Data Center - Data Sheet
Gigya's China Data Center - Data SheetGigya's China Data Center - Data Sheet
Gigya's China Data Center - Data Sheet
 
Hey that's my client! Protecting client lists and confidential information wh...
Hey that's my client! Protecting client lists and confidential information wh...Hey that's my client! Protecting client lists and confidential information wh...
Hey that's my client! Protecting client lists and confidential information wh...
 
Quality and accuracy of data in the companies register: FTS of Russia experience
Quality and accuracy of data in the companies register: FTS of Russia experienceQuality and accuracy of data in the companies register: FTS of Russia experience
Quality and accuracy of data in the companies register: FTS of Russia experience
 

Viewers also liked

Viñeta música 2
Viñeta música 2Viñeta música 2
Viñeta música 2Luisa Crew
 
Diagnóstico institucional en el campo de las tic
Diagnóstico institucional en el campo de las ticDiagnóstico institucional en el campo de las tic
Diagnóstico institucional en el campo de las ticEfrain Prado Angulo
 
Top 8 loan counselor resume samples
Top 8 loan counselor resume samplesTop 8 loan counselor resume samples
Top 8 loan counselor resume samplesridewshapo
 
Now ho medics mcs 200h shiatsu massage cushion
Now ho medics mcs 200h shiatsu massage cushionNow ho medics mcs 200h shiatsu massage cushion
Now ho medics mcs 200h shiatsu massage cushionRoadOnlineShop33
 
2015-2016 inbound certificate
2015-2016 inbound certificate2015-2016 inbound certificate
2015-2016 inbound certificateMatthew Cantwell
 

Viewers also liked (8)

Viñeta música 2
Viñeta música 2Viñeta música 2
Viñeta música 2
 
Diagnóstico institucional en el campo de las tic
Diagnóstico institucional en el campo de las ticDiagnóstico institucional en el campo de las tic
Diagnóstico institucional en el campo de las tic
 
Top 8 loan counselor resume samples
Top 8 loan counselor resume samplesTop 8 loan counselor resume samples
Top 8 loan counselor resume samples
 
Lc sdx32 d
Lc sdx32 dLc sdx32 d
Lc sdx32 d
 
Sheet1
Sheet1Sheet1
Sheet1
 
Now ho medics mcs 200h shiatsu massage cushion
Now ho medics mcs 200h shiatsu massage cushionNow ho medics mcs 200h shiatsu massage cushion
Now ho medics mcs 200h shiatsu massage cushion
 
Programa
ProgramaPrograma
Programa
 
2015-2016 inbound certificate
2015-2016 inbound certificate2015-2016 inbound certificate
2015-2016 inbound certificate
 

Similar to Businesses want more clarity on pdpa

Horner Downey & Co Newsletter- GDPR
Horner Downey & Co Newsletter- GDPRHorner Downey & Co Newsletter- GDPR
Horner Downey & Co Newsletter- GDPRJenny Ferguson
 
Data Security: A field guide for franchisors
Data Security: A field guide for franchisorsData Security: A field guide for franchisors
Data Security: A field guide for franchisorsGrant Thornton LLP
 
EBC0033 Legal Whitepaper Nov 2015
EBC0033 Legal Whitepaper Nov 2015EBC0033 Legal Whitepaper Nov 2015
EBC0033 Legal Whitepaper Nov 2015Linus Choo
 
What to expect from the New York Privacy Act
What to expect from the New York Privacy ActWhat to expect from the New York Privacy Act
What to expect from the New York Privacy ActVISTA InfoSec
 
Adrs Flip Chart With Red Flags Rev4
Adrs Flip Chart With Red Flags Rev4Adrs Flip Chart With Red Flags Rev4
Adrs Flip Chart With Red Flags Rev4danc752
 
Is More Data Always Better? The Legal Risks of Data Collection, Storage and U...
Is More Data Always Better? The Legal Risks of Data Collection, Storage and U...Is More Data Always Better? The Legal Risks of Data Collection, Storage and U...
Is More Data Always Better? The Legal Risks of Data Collection, Storage and U...Vivastream
 
DIRECT MARKETING UNDER INDIA’S NEW DIGITAL DATA PROTECTION LAW
DIRECT MARKETING UNDER INDIA’S NEW DIGITAL DATA PROTECTION LAWDIRECT MARKETING UNDER INDIA’S NEW DIGITAL DATA PROTECTION LAW
DIRECT MARKETING UNDER INDIA’S NEW DIGITAL DATA PROTECTION LAWSpice Route Legal
 
The GDPR - A data revolution
The GDPR - A data revolutionThe GDPR - A data revolution
The GDPR - A data revolutionDan Brookman
 
Managing Design and eBusiness - Lecture 2
Managing Design and eBusiness - Lecture 2Managing Design and eBusiness - Lecture 2
Managing Design and eBusiness - Lecture 2Virtu Institute
 
The gold standard
The gold standardThe gold standard
The gold standardGreg Wilson
 
Adrs Presentation Folder 051909
Adrs Presentation Folder 051909Adrs Presentation Folder 051909
Adrs Presentation Folder 051909julchap
 
Second Verse, Different from the First.
Second Verse, Different from the First. Second Verse, Different from the First.
Second Verse, Different from the First. Judy Selby
 
Comparing California's Consumer Protection Act with the European Union's GDPR
Comparing California's Consumer Protection Act with the European Union's GDPRComparing California's Consumer Protection Act with the European Union's GDPR
Comparing California's Consumer Protection Act with the European Union's GDPRAlison Bird
 
Building a register of data processing
Building a register of data processingBuilding a register of data processing
Building a register of data processingTim Gough
 
Business communication (zayani)
Business communication (zayani)Business communication (zayani)
Business communication (zayani)hassan777898
 
Businesses May Recieve Stiff Penalties And Fines
Businesses May Recieve Stiff Penalties And FinesBusinesses May Recieve Stiff Penalties And Fines
Businesses May Recieve Stiff Penalties And Finesmasive213
 
Adrs Presentation March 2008
Adrs Presentation March 2008Adrs Presentation March 2008
Adrs Presentation March 2008guestabd20
 

Similar to Businesses want more clarity on pdpa (20)

Horner Downey & Co Newsletter- GDPR
Horner Downey & Co Newsletter- GDPRHorner Downey & Co Newsletter- GDPR
Horner Downey & Co Newsletter- GDPR
 
Data Security: A field guide for franchisors
Data Security: A field guide for franchisorsData Security: A field guide for franchisors
Data Security: A field guide for franchisors
 
EBC0033 Legal Whitepaper Nov 2015
EBC0033 Legal Whitepaper Nov 2015EBC0033 Legal Whitepaper Nov 2015
EBC0033 Legal Whitepaper Nov 2015
 
What to expect from the New York Privacy Act
What to expect from the New York Privacy ActWhat to expect from the New York Privacy Act
What to expect from the New York Privacy Act
 
Adrs Flip Chart With Red Flags Rev4
Adrs Flip Chart With Red Flags Rev4Adrs Flip Chart With Red Flags Rev4
Adrs Flip Chart With Red Flags Rev4
 
Is More Data Always Better? The Legal Risks of Data Collection, Storage and U...
Is More Data Always Better? The Legal Risks of Data Collection, Storage and U...Is More Data Always Better? The Legal Risks of Data Collection, Storage and U...
Is More Data Always Better? The Legal Risks of Data Collection, Storage and U...
 
DIRECT MARKETING UNDER INDIA’S NEW DIGITAL DATA PROTECTION LAW
DIRECT MARKETING UNDER INDIA’S NEW DIGITAL DATA PROTECTION LAWDIRECT MARKETING UNDER INDIA’S NEW DIGITAL DATA PROTECTION LAW
DIRECT MARKETING UNDER INDIA’S NEW DIGITAL DATA PROTECTION LAW
 
GDPR Whitepaper
GDPR WhitepaperGDPR Whitepaper
GDPR Whitepaper
 
The GDPR - A data revolution
The GDPR - A data revolutionThe GDPR - A data revolution
The GDPR - A data revolution
 
Managing Design and eBusiness - Lecture 2
Managing Design and eBusiness - Lecture 2Managing Design and eBusiness - Lecture 2
Managing Design and eBusiness - Lecture 2
 
The gold standard
The gold standardThe gold standard
The gold standard
 
Adrs Presentation Folder 051909
Adrs Presentation Folder 051909Adrs Presentation Folder 051909
Adrs Presentation Folder 051909
 
Second Verse, Different from the First.
Second Verse, Different from the First. Second Verse, Different from the First.
Second Verse, Different from the First.
 
Comparing California's Consumer Protection Act with the European Union's GDPR
Comparing California's Consumer Protection Act with the European Union's GDPRComparing California's Consumer Protection Act with the European Union's GDPR
Comparing California's Consumer Protection Act with the European Union's GDPR
 
Dpl november colombia
Dpl november colombiaDpl november colombia
Dpl november colombia
 
Building a register of data processing
Building a register of data processingBuilding a register of data processing
Building a register of data processing
 
How to Protect Your Data
How to Protect Your DataHow to Protect Your Data
How to Protect Your Data
 
Business communication (zayani)
Business communication (zayani)Business communication (zayani)
Business communication (zayani)
 
Businesses May Recieve Stiff Penalties And Fines
Businesses May Recieve Stiff Penalties And FinesBusinesses May Recieve Stiff Penalties And Fines
Businesses May Recieve Stiff Penalties And Fines
 
Adrs Presentation March 2008
Adrs Presentation March 2008Adrs Presentation March 2008
Adrs Presentation March 2008
 

Businesses want more clarity on pdpa

  • 1. hot news today•Thursday11July20134 As a best practice, organisations should avoid over-collecting personal data, including NRIC numbers, where this is not required for their business or legal purposes. Personal Data Protection Commission Businesses want more clarity on Personal Data Protection Act Ashley Chia ashley@mediacorp.com.sg SINGAPORE — The newly-enacted Per- sonal Data Protection Act (PDPA), which requires individuals to be in- formed and consent gained if organi- sations are collecting personal data, does not prescribe the circumstances underwhichNRICnumbersshouldbe provided — posing a conundrum for some organisations here as they ad- just their policies and practices. The collection of NRIC numbers is a common practice among a variety of businesses here and those which spoke to TODAY said it serves verifi- cationandauditpurposestoascertain a person’s identity and they would like more clarity on the laws. For example, telecommunications companies need customers’ NRIC numbers for regulatory requirements and some businesses ask visitors for NRICnumbersbeforetheyareallowed to enter secured office premises. Responding to TODAY’s queries, a spokesperson for the Personal Data Protection Commission (PDPC) said it will be publishing the final adviso- ry guidelines to organisations before the end of this year. It had conducted two public consultations — one ended in April, the other last month — after it published an initial set of advisory guidelines on its website. TheActdoesnotprescribethetype of personal information an organisa- tion can collect. Nevertheless, the PD- PCguidelinessaid:“Asabestpractice, organisations should avoid over-col- lecting personal data, including NRIC numbers,wherethisisnotrequiredfor their business or legal purposes. Or- ganisations should consider whether there may be alternatives available that address their requirements.” TGIF Bazaars, the operator for Sentosa’s Boardwalk Bazaars, said it needed vendors to produce either their NRIC, passport, Work Pass or business registration numbers in or- der to secure a booth. Its spokesman pointed out that these identification numbers are the “only known ways” to validate the le- gality of a vendor’s participation and itis“apartofourresponsibility”tore- questforsuchinformation.Thesenum- bersmayalsobeneededforaccounting and audit and may also be “required” by the authorities here, he added. SingTel said it had several ways to verify the identity of its customers. Act does not prescribe the type of personal information an organisation can collect “At our shops, verification is done by checking customers’ NRIC. Another way is to send a one-time password to customers’ mobile phone via SMS,” said a company spokesperson. While it does not share person- al information with any third-party organisations without consumers’ expressed permission, SingTel said NRIC numbers are collected as part ofregulatoryrequirementswhencus- tomers subscribe to its services. During the PDPC’s public consul- tation in April, some companies also called for the commission to provide more clarity on the use and collection of NRIC numbers. For example, the Singapore Press Holdings asked for clarification on whether an individu- al can be refused entry into secured office premises if they object to their NRIC card being retained. The PDPC had previously noted that NRIC numbers are of “special concern” to individuals as they are unique to each person and are used in many official transactions with the Government. Government agencies and statuto- ry boards are excluded from the law — which was passed in Parliament in October last year — as they are gov- erned by internal rules, most of which have not been made public. Organisations have 18 months to adjust to the Act, between January this year and July next year, when the rules come into force. Under the Act, organisations must make “reasonable” security arrange- ments to protect personal data in its possession or under its control in or- der to prevent unauthorised access, collection, use, disclosure, copy- ing, modification, disposal or “simi- lar risks”. The PDPC noted that there is no “one size fits all” solution for organ- isations to comply with the new law andeachorganisationshouldconsider adopting security arrangements that are “reasonable and appropriate in the circumstances”. “Organisations such as TGIF Ba- zaarsareadvisedtoreviewtheirproc- esses that involve personal data, in- cludingNRICnumbers,toensurethat they comply with the PDPA when the act comes into effect. There is no en- forcement during the transition peri- od,” the PDPC spokesperson said. concern over COLLECTION OF NRIC NUMBERS