Search for:

In brief

With effect from 1 September 2019, organizations are generally not allowed to collect, use or disclose National Registration Identity Card (NRIC) numbers and copies of NRIC and other national identification numbers, except in certain specified circumstances.

Notwithstanding clear guidance documents issued by the Personal Data Protection Commission (PDPC), it appears that some organizations continue to collect, use or disclose such national identification numbers in breach of the Personal Data Protection Act (PDPA). 


In May 2021, a recruiter was sentenced to seven months and six weeks’ imprisonment and fined SGD 3,000 (approximately USD 2,300) for illegally retaining scanned copies of the NRICs of job applicants, and thereafter, using the NRICs to redeem over 200 face masks from vending machines installed by the Singapore government. 

This serves as a timely reminder on compliance with the rules governing the collection, use or disclosure of NRIC and other national identification numbers in Singapore. Importantly, organizations should put in place adequate measures to protect such personal data and minimize the risk of employee misuse of such personal data, including any legitimately collected NRIC numbers and copies of NRIC or other national identification numbers. This is especially given the sensitivity and potential adverse impact to the individual of any unauthorized use or disclosure of their NRIC number.

Background

With effect from 1 September 2019, pursuant to guidelines issued by the PDPC on the applicable standard for the permissible collection, use or disclosure of NRIC numbers and the retention of physical NRICs, organizations are generally not allowed to collect, use or disclose NRIC numbers or copies of NRICs, except in the following specified circumstances:

a) The collection, use or disclosure of NRIC numbers (or copies of NRICs) is required under the law (or an exception under the PDPA applies).

b) The collection, use or disclosure of NRIC numbers (or copies of NRICs) is necessary to accurately establish or verify the identities of the individuals to a high degree of fidelity.

Notwithstanding such guidelines, there continues to be reports of organizations and individuals that continue to collect, use or disclose such national identification numbers or fail to put in place reasonable security arrangements to protect NRIC numbers in their possession or under their control, in breach of the PDPA.

For example, on 10 May 2021, a recruiter was sentenced to seven months and six weeks’ imprisonment and fined SGD 3,000 (approximately USD 2,300) for, among other offenses, retaining illegally obtained personal data. As a recruiter, he received the curriculum vitae and scanned copies of the NRICs of job applicants. It is legally permissible for recruiters to obtain job applicants’ NRIC numbers where it is required for compliance with the Employment Act, but there is no requirement under the law to ask for NRIC numbers for the purpose of job applications. In any event, the recruiter retained the NRIC copies of 384 individuals in his mobile phone, even after he left his job as a recruiter. He then used the NRIC numbers to redeem 207 face masks issued by the Singapore government from various vending machines on three occasions.

Separately, in the PDPC decision “In the matter of an investigation under Section 50(1) of the Personal Data Protection Act 2012 and Singapore Taekwondo Federation,” a financial penalty of SGD 30,000 (approximately USD 23,000) was imposed on the Singapore Taekwondo Federation. The NRIC numbers of 782 students were set out in columns that were publicly accessible, due to an inadvertent error by the organization’s head of the tournament department. The PDPC found that, among others, the organization did not implement any personal data policy and left the manner of handling the students’ personal data to an “unwritten SOP.”

The NRIC number can potentially be used to unlock large amounts of information relating to the individual. Consequently, the PDPC has designated the collection, use and disclosure of an individual’s NRIC number as being of special concern.

Prior to the issuance of the PDPC guidelines that took effect on 1 September 2019, it was fairly common for organizations in Singapore to collect an individual’s NRIC number even in circumstances that did not appear warranted, such as for a shopper to participate in a lucky draw, for a customer to sign up for a customer loyalty program or for the redemption of free car park coupons at a shopping mall. It is therefore timely for organizations to be cognizant of the guidelines issued by the PDPC in relation to the limited circumstances under which the collection, use and disclosure of NRIC numbers is permissible.

Further, in the two cases discussed above, the breaches were attributable to employee misconduct or error. This serves as a timely reminder for organizations to educate their employees and put in place safeguards to prevent contraventions of the PDPA and related NRIC rules. These include keeping NRIC information only in secured company-issued devices with a “view-only” setting where the mass transfer of NRIC information is prohibited, and ensuring that NRIC copies are destroyed as soon as they are no longer needed.

*****

For further information and to discuss what this might mean for you, please get in touch with your usual Baker McKenzie contact.

LOGO_Wong&Leow_Singapore

Baker McKenzie Wong & Leow is a member firm of Baker & McKenzie International, a global law firm with member law firms around the world. In accordance with the common terminology used in professional service organizations, reference to a “partner” means a person who is a partner or equivalent in such a law firm. Similarly, reference to an “office” means an office of any such law firm. This may qualify as “Attorney Advertising” requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.

Author

Andy Leck is the managing principal of Baker McKenzie.Wong & Leow. Mr. Leck is recognised by the world’s leading industry and legal publications as a leader in his field. Asian Legal Business notes that he “always gives good, quick advice, [is] client-focused and has strong technical knowledge for his areas of practice”. Alongside his current role as managing principal, Mr. Leck has held several leadership positions in the Firm and externally as a leading IP practitioner. He currently serves on the International Trademark Association's Board of Directors and is a member of the Singapore Copyright Tribunal.

Author

Ren Jun is an associate principal of Baker & McKenzie.Wong & Leow. Ren Jun extensively represents local and international intellectual property-intensive clients in both contentious and non-contentious IP matters, such as anti-counterfeiting; civil and criminal litigation; commercial issues; regulatory clearance; and advertising laws. Ren Jun also advises on a wide range of issues relating to the healthcare industries. These include regulatory compliance in respect of drugs, medical devices, clinical trials, health supplements and cosmetics; product liability and recall; and anti-corruption. Ren Jun is currently a member of the Firm's Asia Pacific Healthcare ASEAN Economic Community; Product Liability and Regulatory Sub-Committees.

Author

Abe is a principal in our Singapore office. His main areas of practice include patents, trade secrets, copyright, and transactional IP for international and domestic clients. With over eleven years of legal experience as a lawyer and over ten years of technical experience as an engineer in the US and Canada, Abe is able to provide commercially oriented legal and technology-specific advice on a wide range of IP issues. Before joining our Singapore office in 2016, Abe was a lawyer in our Baker McKenzie offices in the US (where he passed the US patent bar examination and qualified as a US Registered Patent Attorney (limited recognition)) and Thailand.

Author

Arwen is a local principal in the Firm's Intellectual Property and Technology (IPTech) Practice Group in Singapore. She is a member of the Law Society of Scotland, and has been admitted to practice in Scotland since 2004. Arwen worked as an intellectual property and technology lawyer in the UK and Europe before relocating to Asia in 2014 and has since worked in both Singapore and Hong Kong, advising on matters across both Asia Pacific and Europe. Arwen is recognised in Legal 500 (2020) as "commercial, pragmatic and personable" for the TMT sector.