Initiatives to Ensure Compliance with Advisory Guidelines for NRIC and other Identification Numbers
Ministry of Digital Development and InformationSpeakers
Summary
This question concerns Ms Rahayu Mahzam’s inquiry about initiatives to ensure organizational compliance with updated Personal Data Protection Commission (PDPC) guidelines regarding NRIC and national identification numbers. Minister for Communications and Information S Iswaran detailed a two-pronged strategy involving outreach to increase awareness and technical support, such as providing guidebooks and pre-approved digital solutions for organizations. These guidelines will take effect on 1 September 2019, allowing businesses time to refine their processes for identity verification and data disposal. Following this date, members of the public can report non-compliance to the PDPC, which will investigate and take enforcement actions against organizations found collecting sensitive data inappropriately. The Minister highlighted that such enforcement includes directing the proper disposal of identification data and the imposition of financial penalties on non-compliant entities.
Transcript
25 Ms Rahayu Mahzam asked the Minister for Communications and Information in light of the updated Advisory Guidelines issued by the Personal Data Protection Commission for NRIC and other national identification numbers (a) what are the initiatives that will be taken to ensure organisations review and implement the necessary changes to their business practices and processes to be aligned to the guidelines; (b) how will enforcement be carried out to check on organisations who continue to inappropriately collect NRIC numbers and ensure those who had previously done so dispose of these sensitive data in a proper manner; and (c) what is the platform and process for consumers or members of the public who wish to make a report on organisations who inappropriately collect NRIC numbers.
Mr S Iswaran: The Personal Data Protection Commission, or PDPC, recently updated its Advisory Guidelines on the collection, use and disclosure of NRIC and other national identification numbers. In summary, the Guidelines set out that organisations are allowed to do so only if it is required by the law, or if it is necessary to accurately establish or verify an individual's identity to a high degree of fidelity.
The PDPC, together with the Infocomm Media Development Authority, or IMDA, is adopting a two-pronged approach to help organisations align their practices with the Guidelines.
Firstly, PDPC is increasing awareness among organisations of the Guidelines through its outreach activities. For example, PDPC has briefed trade associations on the Guidelines. PDPC will also be carrying out additional briefings and producing collaterals for distribution to companies.
Secondly, PDPC and IMDA are providing organisations with technical support to make the transition. These include a technical guide on alternatives to NRIC numbers for websites and public facing computer systems; a template to notify customers of the organisation's efforts and time frame to comply with the Guidelines; and pre-approved solutions that organisations can adopt, such as visitor management and customer management systems. Organisations can reach out to PDPC or PDPC's panel of Data Protection Advisors for assistance.
To allow organisations adequate time to review and refine their existing business practices and processes to comply with the Guidelines, they will take effect on 1 September 2019. Thereafter, individuals who encounter non-compliance can lodge a complaint with the PDPC. PDPC will review each complaint and take appropriate actions, such as directing non-complying organisations to dispose of the data and imposing financial penalties.