Starting from September 1 2019, it will be illegal for organisations to collect, use, disclose or make illegal copies of an individual’s NRIC. Under the Personal Data Protection Act (PDPA) (yup the same organisation that made collecting data for orientation stricter), organisations are also not allowed to retain a person’s NRIC. There are only two instances where it is alright for NRIC numbers to be collected; when it is required by law, and when it is needed for identity verification (a list of appropriate and inappropriate instances can be found here). The rationale for this new rule is to prevent fraud and identity theft, – after all, the NRIC is an irreplaceable permanent identifier.
For organisations currently keeping NRIC numbers for ‘frivolous’ reasons (for example to conduct shopping mall lucky draws), the numbers will need to be anonymised, secured or disposed of according to PDPA guidelines. If they fail to do so, they could be subjected to a fine of up to SG$1 million. These guidelines will apply to all organisations except, public agencies and groups associated or working for them.
NR-I-C that this is an important issue.
Privacy advocates have always been critical about how security guards and retail stores can demand for a person’s NRIC number and in some instances, even keep the card. These new regulations are here to assuage fears that with increasing digitisation of information, personal information is more likely to be passed around easily. This was the case when the Singapore Taekwondo Federation was fined S$30,000 after it disclosed the NRIC numbers of 782 Minors through a PDF document on its website.
It’s expected that organisations will have to find new ways to identify people. One suggestion is for emails and mobile phone numbers to be collected instead, though to be honest, that seems like a PDPA violation as well.