Stricter PDPA NRIC guidelines for organisations: What you should know
Whether we like it or not, we are being watched as prey, and this has never changed since the dawn of the internet. With the sophistication of methodologies that bad actors use to try and pry our private lives and information, a much more robust policy is needed to compensate for the risk involved in the unavoidable handling of personal data, which, in this case, includes NRIC numbers.
The NRIC numbers and the risk in handling them
The Singapore National Registration Identification Card (NRIC) number is a unique number that is given to Singapore citizens and permanent residents of registering age by the Singapore government. It is often used for business transactions and dealings with the government and is considered personal information because of the unique set of numbers and letters that can be used to find out who the person is.
As the NRIC number is a permanent and unchangeable identifier that could be used to access a lot of information about a person, it is especially important to be careful about how it is collected, used, and shared. When NRIC numbers are handled carelessly or without thought, the risk of accidental disclosure goes up. This means that NRIC numbers could be stolen and used for illegal activities such as identity theft and fraud.
With this, under the updated Advisory Guidelines on the Personal Data Protection Act for NRIC, organisations are generally not allowed to collect, use, or disclose NRIC numbers (or their copies), with the exception of the following:
- Collection, use, or disclosure of NRIC numbers (or their copies) is required under the law (or an exception under the PDPA applies); or
- Collection, use, or disclosure of NRIC numbers (or copies of NRIC) is necessary to accurately establish or verify the identities of the individuals to a high degree of fidelity.
Thus, when the collection, use, and disclosure of the NRIC numbers are not for the requirement under the law or to establish or verify the identities of the individuals to a high degree of fidelity, the organisation is prohibited from handling them or else risk a financial penalty from the Personal Data Protection Commission (PDPC) such as in the case of Singapore Taekwondo Federation, a national governing body for taekwondo.
Singapore Taekwondo Federation’s NRIC mishap
In this case, the organisation was fined a hefty financial penalty of S30,000 after it was found out that the NRIC number of 782 students was set out in public and was accessible to everyone. This was due to the human error committed by the organisation’s head of the tournament department.
Moreover, it was found out that Singapore Taekwondo Federation did not have any policy implemented but only left the manner of handling the students’ personal data to an “unwritten SOP.” With this, these leaked NRIC numbers could be used by a potential bad actor to unlock the vast database of information relating to the individual.
The takeaway for this case is the importance of having a concrete policy covering every nook and cranny regarding cybersecurity. Employees are considered the weakest point when it comes to an organisation’s cybersecurity. If there are no written policies that they can follow or were made aware of, then they can be prone to risking your organisation’s healthy cybersecurity posture.
How a DPO can help
A Data Protection Officer (DPO) oversees data protection responsibilities and ensures that organizations comply with the Personal Data Protection Act (PDPA). Furthermore, every Organization’s DPO should be able to curb any instances of data breaches as it is the officer responsible for maintaining the positive posture of an organization’s cybersecurity.
With a DPO, the organisation can ensure that the handling of any NRIC numbers is within the ambit of the PDPA and nothing more. Moreover, part of its tasks is to ensure that there are policies in play so that human error is unlikely.
DPOs complement the efforts of organizations in making sure that the personal data collected, used, and disclosed by the organisation is safe. This is because when there is an instance that the obligation has been breached, DPOs ensure that a protocol for dealing with it has been established and can be employed.
As a consumer who provides my very own sensitive information to each organization I encounter or have a transaction with, I would feel safe if an organization would take the extra mile to ensure that my data is safe, as it affects me whenever a decision is made.