Keeping customer data private

Businesses should start preparing for new personal data protection guidelines regarding their customers’ NRIC data

In the light of high-profile data breaches here, the Government is putting in place data protection guidelines concerning the collection and retention of NRIC and other national identifiers by organisations here. The new guidelines, which come into effect on September 1 this year, are covered under the Personal Data Protection Act (PDPA). The NRIC is commonly used today for transactions with the Government and businesses, and can be used to unlock large amounts of information relating to the individual.

Singapore suffered its worst cyberattack in June last year when hackers infiltrated the databases of SingHealth, which comprises the largest group of healthcare institutions here. The hackers stole the personal particulars of 1.5 million patients, including the outpatient prescriptions of Prime Minister Lee Hsien Loong and a few ministers.

In January this year, SingHealth was fined a total of S$1 million by the Personal Data Protection Commission (PDPC) for the data breach. It was the largest fine imposed by the commission to date.

The Info-communications Media Development Authority (IMDA) conducted several sessions with Singapore Business Federation (SBF) members last year on the guidelines. According to the government agency, an organisation that exposes their customers’ data to a cyberattack can suffer from reputational loss, as well as increased time and cost in managing the breach.

Know the PDPA guidelines

Under the PDPA guidelines, organisations are not allowed to collect, use or disclose NRIC information except where it is required under the law (or where an exception under PDPA applies), or is necessary to accurately establish or verify the identity of an individual.

Instances of when NRIC or other national identification numbers is allowed to be collected under the law include when a new employee joins an organisation, checking into a hotel or seeking treatment at a medical clinic. They can also be collected to verify entry into a school or for insurance claims.

Organisations that collect a copy of an NRIC must also ensure it is not collecting excessive personal data contained in the copy. They must also not retain the physical NRIC (or any ID containing NRIC numbers) except where it is required under the law. However, sighting of the physical NRIC for verification purposes is not considered a collection of personal data.

Impact of Customer Data Protection Restrictions on IT systems

These restrictions may require organisations to make changes to some of their IT systems and processes. For instance, a company’s Customer Relationship Management or point-of-sale system should not collect NRIC information unless it is required by law; such as when a customer subscribes to a new phone line.

A firm’s Human Resource Management system should also not collect such information when a potential hiree is applying for a job, unless the employment relationship has been established, including through the Employment Act.

Finally, a Visitor Management System should not capture NRIC numbers unless it is necessary to accurately establish or verify the identity of the individual. This may apply when a person wants to gain entry into a pre-school, for example.

How to comply with PDPA guidelines

To avoid exposing customer data, companies can consider using alternative means of identifying customers. These include using nicknames picked by customers, a membership number generated by the organisation, email addresses, mobile numbers, or a combination of identifiers (for example: first name + last name, date of birth + part phone number, partial NRIC number + mobile number).

A 2018 PDPC consumer survey on Consumers’ Preferred Identifier for Membership Loyalty showed that only 39%of respondents wanted to use their full NRIC number, with the majority preferring either their name or mobile number or name and partial NRIC number as identifiers.

To help companies adhere to the guidelines, the PDPC offers a technical guide for organisations on replacing NRIC numbers in websites and systems. You can access the guide here.