Singapore personal data protection reforms in force from next year

Out-Law News | 03 Sep 2018 | 11:08 am | 1 min. read

Organisations in Singapore will no longer be able to collect certain "unjustified" personal identification data about individuals from next year, the Personal Data Protection Commission (PDPC) has announced.

From 1 September 2019, organisations will generally not be permitted to collect, use or disclose individuals' National Registration Identity Card (NRIC) numbers, birth certificate numbers, foreign identification numbers and work permit numbers. The new law will also prevent organisations from retaining individuals' identity cards, or a copy of their identity cards or numbers.

Limited exemptions are set out in new PDPC guidance (15-page / 448KB PDF), and apply where collection, use or disclosure is required by law, or is "necessary to accurately establish or verify the identities of the individuals to a high degree of fidelity". The new law does not apply to public sector or critical infrastructure buildings.

The PDPC has produced a template notice to help organisations manage customer expectations during the transition period. It has also produced technical guidance (18-page / 389KB PDF) setting out potential alternatives to NRIC numbers for organisations, and replacements for NRIC numbers in existing systems.

Individuals are often asked for NRIC numbers in many scenarios where this is not required by law, including redeeming free parking at shopping centres, online cinema ticket purchases and establishing their identity when visiting private apartment complexes, according to the guidance. Instead, organisations may consider checking the individual's card without retaining a copy, or simply collecting names and contact details.

In some circumstances, organisations may be permitted to collect partial NRIC numbers "when other alternatives are not satisfactory", according to the guidance. Those that choose to do so may collect up to the last three numerical digits and the 'check' digit to avoid breaching the new law.

The PDPC said that the changes were necessary as an individual's NRIC number is "a permanent and irreplaceable identified which can potentially be used to unlock large amounts of information relating to the individual".

"Indiscriminate or negligent handling of NRIC numbers increases the risk of unintended disclosure with the result that NRIC numbers may be obtained and used for illegal activities such as identity theft and fraud," it said.

"Organisations have substantial time to review their policies and processes in order to comply but, as always, the sooner the better," said technology law expert Bryan Tan of Pinsent Masons MPillay, the Singapore joint law venture of Pinsent Masons, the law firm behind