Singapore’s Data Protection Authority, the Personal Data Protection Commission, recently released its revised "Advisory Guidelines for National Registration Identification Card" and numbers following public consultation. Effective from Sept. 1, 2019, the advisory guidelines provide private organizations and individuals with the PDPC’s interpretation of the Singapore Personal Data Protection Act as it relates to the collection, use and disclosure of NRICs.

The changes to the advisory guidelines generated great interest in Singapore. In particular, they inspired an overwhelming response from individuals — the public consultation recorded over 61 responses from individuals, which is several times the usual response for a consultation carried out by the PDPC. Several letters were also written to national newspapers to express a view on this issue.

This should not be surprising. Like other national IDs in the Asia Pacific (such as Hong Kong’s HKID), the NRIC is a pervasive facet of a Singaporean’s life. More than a necessary identifier for transactions with the government, the NRIC has been used by private organizations as a convenient customer identifier, a reliable document to prove identity and even as a form of security for entering a secured building or renting a bicycle. Singaporeans freely give it out, but with growing awareness of the increased harm arising from unauthorized disclosures of NRICs, some question whether private organizations should continue such practices.

In this respect, the PDPC comes firmly on the side of individuals. In its guidelines, the PDPC states that private organizations may only collect, use or disclose NRIC in the following circumstances:

• When collection, use and disclosure of NRICs is required under the law (or an exception under the PDPA applies).
• When collection, use and disclosure of NRICs numbers is necessary to accurately establish or verify the identities of the individuals to a high degree of fidelity.

On the surface, these changes appear very restrictive. The collection, use or disclosure of NRICs would either have to be already provided in law or be used for the strict purpose of identifying individuals. Several individuals expressed support (and gratitude) for the changes in the advisory guidelines.

On the other hand, private organizations did not view these changes favorably. One organization declared (outlandishly in this author’s view) that changing the use of the NRIC as an identifier would cost it millions of dollars and take five to 10 years to complete. Given the PDPC’s power to penalize organizations with financial penalties of up to USD$720,000 and the frequency of NRICs being involved in data breaches, several organizations took these changes very seriously.

Unlike data protection laws in Europe and the U.S., the primary impetus for the PDPA is to facilitate businesses using personal data. This is more obvious from the original guidelines which merely state that NRICs can be used “for reasonable purposes for which consent has been obtained validly” and that in some situations, collecting NRICs may “lead to a reduced need to collect other forms of personal data,” which is largely a reflection of NRIC practices then. In this light, the PDPC should be applauded for sticking with the restrictive guidelines. With greater awareness of the increased harm caused to individuals when data breaches concerns NRICs, excessive usage of NRICs is bad for business, and private organizations appear to grudgingly accept that.

However, if the main objective of the changes is to build trust for private organizations using personal data, the advisory guidelines leave much to be desired. Singaporeans will be shocked to find the long list of exemptions in the schedules of the PDPA. Excluded activities includes managing the employment relationship, information provided by a public agency and news activities. Furthermore, does the mere mention of NRICs or record keeping in a law give a private organization the excuse to collect them? It is not clear whether data protection or privacy was considered when such laws were drafted in the first place. The cynical conclusion is that the exemptions are the rule, and the advisory guidelines still provide many “loopholes” for private organizations to use NRICs excessively without an individual’s consent.

Likewise, if it is broadly accepted that NRICs constitute sensitive data, Singaporeans may expect greater accountability from private organization trying to use them. However, the PDPA does not provide NRICs as a special category of personal data or require private organization to demonstrate compliance with the advisory guidelines. It would appear that the only impact to organizations arising from the excessive use of NRICs is increased penalties in the event of a data breach. The loss of business reputation and trust a business may face when there is a data breach may not be reversed by a financial penalty.

Whatever misgivings one may have regarding the advisory guidelines should be qualified with the fact that they provide the PDPC’s guidance on the PDPA. The exemptions and the law providing that the PDPA does not prevail over any other law are in the PDPA and the PDPC’s advisory guidelines cannot change that. The correct conclusion is that the guidelines go as far as they can go within the parameters of the PDPA, and there is not much the PDPC can do without significant enhancements to the PDPA itself. The advisory guidelines is thus a remarkable indicator of the success that the PDPC has in implementing the PDPA.

The PDPA is not staying put. One interesting amendment being considered in the review of the PDPA is the provision of ‘Legal or Business Purpose’ approach as an alternative basis of processing. Following one round of public consultation, the PDPC intends to revise that approach from ‘Legal or Business Purpose’ to ‘Legitimate Interests.’ Now, doesn’t that sound familiar!

Photo credit: 1Nine8Four Singapore via photopin (license)