Businesses from banks to property agents, those offering lucky draw, organisations and places which requires you to change your NRIC for a pass for entry would be affected when the Personal Data Protection Act (PDPA) comes into force next July when businesses have to comply by then. Many of us who had to surrender our IC or had to give an incomplete or fake NRIC when filling up forms by companies knowing that our personal data would be traded around behind our backs are now potentially protected. Businesses can’t peddle our phone numbers away for us to be harassed by another company selling insurance, a time share, a financial product, a survey, without our consent.
The No-Call Registry starting in January 2014 is an interesting repository of “do not harass me” handphone numbers. Companies can be fined up to $1 million by the Personal Data Protection Commission if the PDPA is flouted. Unless the commission is in reality all bark, no bite as they are flooded with complaints and paralysed into inaction. Still, be sure to register your handphone number if you are bothered by callers trying to sell you something.
There would be new industries – companies offering personal data protection services to SMEs. As companies and organisations big and small need personal data officers once they collect customer personal information, this is a niche skill set, like MAS compliance officers maybe. Companies are scratching their heads to get around the PDPA since collecting IC numbers would be increasingly frowned upon. Handphone numbers would be more important than before as personal identification although the PDPA also covers its collection, storage and use.
The PDPA is the right step ahead, similar to the UK’s 1998 Data Protection Act where it protects an individual’s right to privacy. Would Singapore also introduce a Freedom of Information Act like the UK, which is an act about the state’s responsibility for transparency?
SINGAPORE — The newly-enacted Personal Data Protection Act (PDPA), which requires individuals to be informed and consent gained if organisations are collecting personal data, does not prescribe the circumstances under which NRIC numbers should be provided — posing a conundrum for some organisations here as they adjust their policies and practices.
The collection of NRIC numbers is a common practice among a variety of businesses here and those which spoke to TODAY said it serves verification and audit purposes to ascertain a person’s identity and they would like more clarity on the laws.
For example, telecommunications companies need customers’ NRIC numbers for regulatory requirements and some businesses ask visitors for NRIC numbers before they are allowed to enter secured office premises.
Responding to TODAY’s queries, a spokesperson for the Personal Data Protection Commission (PDPC) said it will be publishing the final advisory guidelines to organisations before the end of this year. It had conducted two public consultations — one ended in April, the other last month — after it published an initial set of advisory guidelines on its website.
The Act does not prescribe the type of personal information an organisation can collect. Nevertheless, the PDPC guidelines said: “As a best practice, organisations should avoid over-collecting personal data, including NRIC numbers, where this is not required for their business or legal purposes. Organisations should consider whether there may be alternatives available that address their requirements.”
TGIF Bazaars, the operator for Sentosa’s Boardwalk Bazaars, said it needed vendors to produce either their NRIC, passport, Work Pass or business registration numbers in order to secure a booth.
Its spokesman pointed out that these identification numbers are the “only known ways” to validate the legality of a vendor’s participation and it is “a part of our responsibility” to request for such information. These numbers may also be needed for accounting and audit and may also be “required” by the authorities here, he added.
SingTel said it had several ways to verify the identity of its customers. “At our shops, verification is done by checking customers’ NRIC. Another way is to send a one-time password to customers’ mobile phone via SMS,” said a company spokesperson.
While it does not share personal information with any third-party organisations without consumers’ expressed permission, SingTel said NRIC numbers are collected as part of regulatory requirements when customers subscribe to its services.
During the PDPC’s public consultation in April, some companies also called for the commission to provide more clarity on the use and collection of NRIC numbers. For example, the Singapore Press Holdings asked for clarification on whether an individual can be refused entry into secured office premises if they object to their NRIC card being retained.
The PDPC had previously noted that NRIC numbers are of “special concern” to individuals as they are unique to each person and are used in many official transactions with the Government.
Government agencies and statutory boards are excluded from the law — which was passed in Parliament in October last year — as they are governed by internal rules, most of which have not been made public.
Organisations have 18 months to adjust to the Act, between January this year and July next year, when the rules come into force.
Under the Act, organisations must make “reasonable” security arrangements to protect personal data in its possession or under its control in order to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or “similar risks”.
The PDPC noted that there is no “one size fits all” solution for organisations to comply with the new law and each organisation should consider adopting security arrangements that are “reasonable and appropriate in the circumstances”.
“Organisations such as TGIF Bazaars are advised to review their processes that involve personal data, including NRIC numbers, to ensure that they comply with the PDPA when the act comes into effect. There is no enforcement during the transition period,” the PDPC spokesperson said.