Prohibit Organisations from Storing Scans of Identification Documents Longer than Necessary in Light of MyRepublic Data Breach

21 Mr Gerald Giam Yean Song asked the Minister for Communications and Information in light of the MyRepublic data breach, whether the Ministry intends to prohibit organisations from storing scans of identification documents like the NRIC beyond the period required for identity verification.

Mrs Josephine Teo: The Personal Data Protection Act (PDPA) already sets baseline requirements for organisations to cease retaining documents containing personal data when it is no longer needed for legal or business purposes. These include scans of identification documents.

Specifically, for telecommunication licensees, it is a licensing requirement to retain the identification record of a subscriber for at least 12 months following the termination of services by the subscriber. This is to ensure that agencies investigating fraudulent and/or criminal acts can review such identification records if telecommunication services were used for such purposes.