At this time next year, it will become illegal for organisations to collect NRIC numbers or make copies of the card, or of similar national identification numbers and documents. There are going to be numerous exceptions, and I hope ultimately the new rules will help serve the purpose of ensuring the confidentiality of NRIC numbers.
NRIC numbers were supposed to have been confidential information to begin with. The past few decades saw the increasing prevalence of organisations collecting NRIC numbers and much other excessive information, often with no clear purpose other than that they may become useful in some distant future.
Singapore’s Personal Data Protection Act (PDPA) helped address some issues of reckless and irresponsible collection, use, disclosure, care, etc, of personal data. However, as long as an organisation could provide even a remotely tenable justification, the PDPA still allows them to collect, use, and disclose NRIC numbers.
The new rule tries to address these issues, but I’m not sure if it truly provides enough clarity. It allows exceptions, such as when required by other laws, which is reasonable enough, but further suggests there are other permissible cases, such as when it is necessary to precisely verify an individual’s identity “to a high degree of fidelity”.
The Personal Data Protection Commission (PDPC) considers it necessary to verify an individual’s identity to a high level of fidelity where it concerns:
- significant safety or security risks
- significant impact or harm to an individual and/or organisation
They give examples of visitor entry at preschools, and fraud.
I don’t know if they will have more precise definitions, because the above seems relatively vague. Would the wrong person collecting a $1M lucky draw prize be considered fraud, causing significant impact or harm to an individual and/or organisation? It would seem so to me, and so, would contest organisers still be allowed to collect NRIC numbers and/or make copies of the identity cards?
There are also young children playing in common areas of private condominiums, so should security guards there similarly collect NRIC details of visitors? I would argue that preschools likely have closer adult supervision than in a condominium common area.
In my opinion, the rules should be more definitive. Exceptions can be granted by the PDPC upon application by organisations. Don’t just leave the rules open to interpretation. Don’t leave it to individuals to challenge the organisations. Most people, when demanded to provide their NRIC number, will still grudgingly do so in order to complete a transaction they had set out to perform.
The PDPC is trying to address this problem of indiscriminate collection of NRIC numbers. They’re trying to give clarity on what they want to do. That’s good. But they’re not going all the way to close the gaps. Is this a case of do the minimum and see how it works?
Just imagine if we’re trying to enact a new speeding law. Are we going to say, speeding is not allowed unless under some exceptional circumstances, such as when you really, really, need to go fast?
Your NRIC number cannot change, at least not unless the government changes their rule on that. It is a national identity number that should only be used with the government, and any agents who work on their behalf. Why should any other unrelated organisation, with whom you are carrying out a private transaction that is not regulated by the government, ever need to know your NRIC number?
I realise many of the arguments often revolve around the need to establish identity. I see here an opportunity for the government to develop a new electronic national identity system. It has to be something that does not require NRIC numbers themselves to be visible to 3rd party entities. Consider how, as an example, your passport number helps establish your identity at immigration in foreign countries, but they don’t know your NRIC number.
This manual system of course won’t scale when you need to provide identification services to tens of thousands of entities requiring to establish your identity. But there are mechanisms on the Internet now that, with some changes, can work as a national system for establishing identity. If you think about it, the NRIC number itself is meaningless to any organisation. They merely need an identifier to connect the person. Or if a crime happens, to be able to tell that police the identifier that they were provided with.
The problem with NRIC numbers need sto be tackled more holistically.