With revisions to the personal data protection act, everyday episodes of identity card misuse – such as having to surrender your IC just to attend a friend’s party at a private residence – will soon be over.
Many people who visit private residential buildings, such as condominiums, in Singapore would be expected to exchange their IC for the entry pass. This is set to change. From 1st Sept 2019, it will be illegal for organisations to collect, use or disclose NRIC numbers or make copies of the identity card, under stricter rules spelt out on Aug 31 last year, by the Personal Data Protection Commission.
WHAT ARE THE PROPOSED CHANGES?
Leading this charge is the country’s privacy watchdog, the Personal Data Protection Commission (PDPC), which launched a public consultation on the proposed revisions in November 2017. The Commission’s bugbear has been the overuse, if not misuse, of NRIC data that it rightfully termed a “permanent and irreplaceable identifier” in its consultation paper. Additionally, the PDPC’s subject of contention goes beyond the national identification cards themselves, but also copies and the string of letters and digits that is unique to each citizen.
The proposed revisions bar building and business owners from the “indiscriminate collection and use” of NRIC data that may increase the risk of identity theft and fraud. Several common everyday situations highlighted by the PDPC that do not actually require disclosure of NRIC data include:
- Retaining of visitor NRICs by private building management and estates in exchange for visitor passes
- Keeping NRICs as collateral for bicycle rental
- Gathering of NRIC numbers by mall and retail operators for membership, loyalty and rewards programmes and lucky draws
- Using NRIC numbers as booking references for online purchase of movie tickets as enforced by cinema operators
- Collecting NRIC numbers to keep a record of free car park redemptions made
WHY ARE THESE REVISIONS IMPORTANT?
These suggested changes make for the first major review of the PDPA since it came into effect in July 2014. To those concerned about privacy, it is high time for such a change.
“These proposed changes come as an overdue development in Singapore,” says Daniel Song, Senior Associate in the Technology and Communications practice at law firm Bird & Bird ATMD. “Similar restrictions have existed in several major jurisdictions, such as Hong Kong. Hong Kong’s data privacy laws contain a long-standing set of guidelines relating to the handling of Hong Kong identity card numbers, first issued in 1997 and recently revised in 2016.”
Responses gathered during the consultation period, which ended in December 2017, also showed the timeliness of these tweaks. In a PDPC-released document of responses to the consultation, multiple comments from members of the public brought up security concerns of current practices, some of which they felt were going overboard. One such comment, by a ‘Sarah Koh’, stated, “This practice should have been abolished a long time ago. Even the police do not retain our ICs (they only take down details), let alone security guards of buildings. I shudder to think how many strange unknown parties have physical photocopies or scanned images of my IC.”
WHEN WILL THE NEW GUIDELINES KICK IN?
These changes do not mean that NRIC details should remain completely stowed away in one’s back pocket — but should only be collected when necessary to accurately identify an individual. Instances include applications for insurance or being involved in high-value property transactions.
The new guidelines are expected to go into effect around mid-2018, but organisations will be allowed a ‘sunrise’ period of 12 months to implement changes to their practices.
This may give time to the citizenry to acknowledge these tweaks, familiarise themselves with their privacy rights, and beef up their data security. After all, issues of cyber-security and data protection are also coming increasingly into focus as the country continues on its national drive to be a Smart Nation.
“With more innovative technologies being adopted under the Smart Nation drive, it is likely that more novel or complex data privacy issues will arise,” surmises Song. He adds that the legal position on these issues “may not be as straightforward as they may not have been contemplated or considered by the regulators when the data privacy laws were enacted”.
However, Song also points out that the PDPC recently proposed to introduce an Enhanced Practical Guidance framework. “It provides organisations with legally binding guidance on PDPA compliance in relation to complex or novel issues where there is no clear position under the PDPA.”
ARE THERE ALTERNATIVES TO VERIFYING IDENTITIES OR DATA COLLECTION?
In the meantime, organisations can start working on alternatives to track stray customers or maintain the security of their premises. This could be in the form of giving patrons unique tracking or reference numbers, QR codes, organisation-generated IDs and passwords, and even instituting a monetary deposit policy if it fits. Collection of information could still be done via patrons’ names, email addresses and mobile phone numbers.
Individuals, too, need to have their own reality check on how much they should be sharing, especially given the worrying results of the PDPC’s Consumer Survey on the PDPA last year. While 98% of over 1,500 respondents felt responsible for protecting their own data, 73% of the surveyed pool were still willing to share personal data in exchange for a cheap freebie or a one-in-a-million chance in a lucky draw.
“Practically, individuals should take a common-sense approach when disclosing their personal data to organisations, and consider whether the personal data requested is reasonable in the circumstances of the products or services that are sought by the individual,” Song recommends.
WHEN IC IS STILL NEEDED?
Your IC may not need to leave your wallet as frequently as before, but do note that the information on it can still be collected without your consent — when the law requires it.
These instances include:
- Hospital admission or seeking of treatment in healthcare institutions
- Entrance into a secured building
- Enrolment of children into a childcare centre
- Hotel check-in
- Subscription to telecommunication services
TIPS TO UP YOUR DATA SECURITY AND PROTECT YOUR IDENTITY
- Invest in a paper shredder to destroy documents that reveal personal and financial information about yourself, such as bank statements and tax letters. Otherwise, take extra care to shred them thoroughly by hand.
- Proper disposal of personal data should also apply at your workplace; this extends to other storage mediums, such as CDs and DVDs. Do note that companies that fail to dispose of personal data properly can be penalised for what constitutes a data breach.
- Sign up with the Do Not Call (DNC) Registry at www.dnc.gov.sg to opt out of receiving marketing and advertising messages on your phone. Registration is free.
- Empower yourself and learn how you can protect your data by keeping abreast of the Act and its current iteration on the PDPC’s website at www.pdpc.gov.sg.