Organisations are generally not allowed to collect, use or disclose your NRIC number (or copy of your NRIC). They may do so only if it is required under the law (or an exception under the PDPA applies) or necessary to accurately establish or verify your identity to a high degree of fidelity.
Do the following situations constitute collection of personal data - for example:
(a) checking my NRIC to verify my identity at point of entry into a particular place; and
(b) checking my NRIC to verify my age?
Do not reply to such an SMS or call. Do not interact in any way.
Unsolicited SMSes or calls from unknown sources that are related to loans, financial assistance or online gambling are likely to be associated with unlicensed moneylending and illegal gambling activities. The PDPC investigates all complaints regarding unsolicited telemarketing SMSes or calls seriously. However, unlicensed moneylending and illegal gambling are serious criminal offences in Singapore where the Police are the relevant authority to investigate such offences. If you receive such SMSes or calls, please notify the Police directly by:
Complaints received by the PDPC relating to such activities will be referred to the Police.
The PDPC recognises that organisations may wish to collect partial NRIC numbers when other alternatives are not satisfactory. Organisations that collect the last three numerical digits and checksum of the NRIC number (e.g. "567A" from the full NRIC number of "S1234567A") would not be considered to be collecting the full NRIC number, and therefore not subject to the treatment for NRIC numbers set out in the PDPC's advisory guidelines.
Partial numbers are, however, considered personal data under the PDPA to the extent that an individual can be identified from the partial NRIC number, or from the number and other information to which the organisation has or is likely to have access. Organisations that collect partial NRIC numbers must still comply with the Data Protection Provisions of the PDPA, such as making reasonable security arrangements to protect the personal data in their possession or under their control from unauthorised disclosures.
For transactions related to financial and insurance matters, organisations are permitted to collect your NRIC number (or copy of your NRIC) after informing you on the purposes for the collection, use or disclosure of the personal data, and seeking your consent.
Where organisations can collect NRIC numbers of individuals, they will have to comply with the Data Protection Provisions under the PDPA, such as ensuring an appropriate level of security to prevent unauthorised access, collection, use, disclosure or similar risks; and ceasing to retain the data as soon as the purpose for which it was collected is no longer necessary for business or legal purposes.
When must organisations stop collecting, using and disclosing my NRIC number, if they are no longer supposed to do so?
© 2019 Government of Singapore.
Best supported by IE 9 and above, Firefox and Chrome.