About Collection, Use, or Disclosure of NRIC Numbers from 1 September 2019 in Singapore
All you need to know about the updated PDPA Act
Background
Did you know that the treatment of NRIC numbers described in the stricter Personal Data Protection Act also applies to Birth Certificate numbers, Foreign Identification Numbers (“FIN”) and Work Permit numbers?
The Personal Data Protection Commission (PDPC): “In today’s digital economy, indiscriminate collection or negligent handling of NRIC numbers can increase the risk of unintended disclosure and may result in NRIC numbers being used for illegal activities such as identity theft or fraud.”
What immediate steps you need to take before September 1, 2019?
- Dispose any physical or electronic records of NRIC and inappropriate personal data, using appropriate methods.
- Ensure that your organisation has reviewed processes to only collect NRIC details where the law requires it, or when it is necessary to verify someone’s identity “to a high degree of fidelity”.
- Identify reliable and well-trained personnel and implement robust policies and procedure to ensure information security
Take note: Companies are liable for their employees’ breaches of the PDPA if these breaches occurred in the course of the employee’s employment with the company – even if the company hadn’t approved of the employee’s acts, or didn’t even know of them in the first place.
For current users on Workspace
On bantu Workspace, we work with a wide range of clients who may still be eligible to still collect NRIC numbers, in order to protect specific members or vulnerable beneficiaries they are working with. This would include visiting pre-schools or transactions involving healthcare, financial or real estate matters, and when not getting it could risk security or could cause significant harm.
You can still host NRIC and National ID data on bantu Workspace since your organisation may still have the right to do so, “where the law requires it”, or when it is necessary to verify someone’s identity “to a high degree of fidelity”. (Personal Data Protection Commission) However, you and your organisation will remain responsible for abiding to the PDPA act in an appropriate manner.
How does hosting your information on a cloud solution like bantu Workspace work?
As a company, we ensure that we are PDPA compliant in protecting your organisation’s information – however, there is a clear distinction to be made here. As you store your members’ personal data on bantu Workspace, we are a data intermediary that is processing your organisations’ personal data. Although we do not have data protection obligations while processing personal data on behalf of another organisation under a written contract (source), we do have obligations relating to the security and retention of the personal data.
You can read more about Data Intermediaries here and the Protection Obligation here.
In simpler words:
bantu as an entity is responsible for maintaining the security of hosting your data in the cloud, however, we are not responsible for the illegal collection of NRIC and personal information. However, even as no software or online service is never entirely free from security vulnerabilities, we have the responsibility to implement appropriate technical and organisational measures to ensure an appropriate level of security for any personal data that is hosted on bantu Workspace.
Some useful tips from the PDPC:
- A phone number and an e-mail address are usually sufficient for identity verification
- Consider collecting partial NRIC numbers i.e. collect 567A instead of S1234567A
- Conducting regular training sessions for staff to impart good practices in handling personal data and strengthen awareness of threats to security of personal data
- Ensuring that only the appropriate amount of personal data is held, as holding excessive data will also increase the efforts required to protect personal data.
