Organisations are generally not allowed to collect, use or disclose an individual's NRIC number (or copy of NRIC). They may do so only if it is required under the law (or an exception under the PDPA applies) or necessary to accurately establish or verify the identity of the individual to a high degree of fidelity.

Organisations which collect individuals' NRIC numbers (or copies of NRIC) must be able to provide justification on request to individuals and/or the PDPC on the basis for their collection, use or disclosure of NRIC numbers (or copies of NRIC).

The treatment for NRIC numbers also applies to Birth Certificate numbers, FIN and Work Permit numbers that are issued by the Singapore Government, in view that they are also permanent and irreplaceable identifiers that bear similar risks as NRIC numbers if indiscriminately collected, used or disclosed.

While passport numbers are periodically replaced, they too are important identification numbers that can serve the same purposes as the NRIC, FIN, Work Permit and Birth Certificate numbers. Therefore, organisations should accord passports similar treatment as that for NRICs, i.e. refrain from collecting passport numbers. If there is a need to collect, organisations should limit their collection to partial passport numbers and ensure an appropriate level of security to protect the passport numbers collected.

Organisations should not retain an individual's physical NRIC unless its retention is required under the law. This is given the importance of the NRIC as a national identification document that is issued to all citizens and permanent residents of Singapore, and the impact to the individual should the physical NRIC be misplaced or stolen and used for illegal activities.

Yes, the positions taken for  the retention of the physical NRIC apply to the retention of other IDs that contain the NRIC number (e.g. driver's licence, passport). This is because the risks associated with the indiscriminate retention of physical NRICs as collateral similarly apply to the retention of other IDs that contain the individuals' NRIC numbers. Organisations that wish to retain such IDs should only do so where it is required under the law, and put in place the appropriate security arrangements to protect the personal data in their possession or under their control. 

Where there is no intention to obtain control or possession of the physical NRIC in checking the NRIC for the purpose of establishing or verifying the identity of the individual, and no personal data is retained once the NRIC is returned immediately to the individual, the PDPC does not consider it to be collection of personal data.

Property management and building owners should avoid collecting NRIC numbers and are encouraged to use alternative ways to address their requirements. For instance, organisations may consider checking a visitor's photo identification document and recording the visitor's full name and contact details (e.g. mobile number) or partial NRIC number where relevant.

The PDPC does not prescribe the types of identifiers that organisations should adopt in place of NRIC numbers. Organisations should assess the suitability of alternatives to NRIC numbers based on their own business and operational needs.

However, some alternatives that have been adopted by organisations include organisation or user-generated ID, tracking number, organisation-issued QR code, or monetary deposit. Organisations should also consider whether the alternatives provided are reasonable, and avoid collecting excessive personal data.

The PDPC recognises that organisations may wish to collect partial NRIC numbers when other alternatives are not satisfactory. Organisations that collect the last three numerical digits and checksum of the NRIC number (e.g. "567A" from the full NRIC number of "S1234567A") would not be considered to be collecting the full NRIC number, and therefore not subject to the treatment for NRIC numbers set out in the PDPC's advisory guidelines. For more information on partial NRIC numbers, please refer to the PDPC's Technical Guide to Advisory Guidelines on the Personal Data Protection Act for NRIC and other National identification Numbers.

Partial NRIC numbers are, however, considered personal data under the PDPA to the extent that an individual can be identified from the partial NRIC number, or from the number and other information to which the organisation has or is likely to have access. Organisations that collect partial NRIC numbers must still comply with the Data Protection Provisions of the PDPA, such as making reasonable security arrangements to protect the personal data in their possession or under their control from unauthorised disclosure.

Collecting more than the last three numerical digits and checksum increases the risk that the full NRIC number can be generated and correctly matched to an individual. Organisations should be mindful that more information could make it easier to re-identify an individual and therefore weigh the risks carefully against the need for collecting more information. Organisations that collect partial identification numbers must still comply with the Data Protection Provisions of the PDPA, such as making reasonable security arrangements to protect the personal data in their possession or under their control from unauthorised disclosure. 

Collecting more information than the last three numbers and checksum of an individual's NRIC number of FIN increases the risk that the full NRIC number or FIN could be generated and correctly matched to the individual. For example, the first letter (e.g. S/T/F/G) provides additional information on the individual's citizenship, and the first two numbers of the NRIC number could also reveal the individual's birth year. This additional information could make it easier to identify an individual if collected. Organisations should therefore weigh the risks carefully against the need to include more information than the last three numbers and checksum of an individual's NRIC number of FIN. Organisations that collect partial identification numbers must still comply with the Data Protection Provisions of the PDPA, such as making reasonable security arrangements to protect the personal data in their possession or under their control from unauthorised disclosure. 

An organisation that randomly generates a NRIC number (e.g. by applying an algorithm or using a validator to ascertain that the randomly generated number is a valid NRIC number) will be considered as having collected the NRIC number. The collection, use and disclosure of such numbers is subject to the treatment set out in the Advisory Guidelines on the PDPA for NRIC and other National Identification Numbers, i.e. organisations may not collect, use or disclose such numbers unless it is required by the law or necessary to accurately establish or verify the identity of the individual to a high degree of fidelity.

In situations where the collection, use or disclosure of NRIC numbers is not required under the law or necessary to accurately establish or verify the identities of individuals to a high degree of fidelity, organisations should not collect an individual's NRIC number (or copy of NRIC). Consent obtained from the individual does not override the requirement for organisations to ensure the personal data is collected for purposes that are considered appropriate in the circumstance.

Individuals are not prohibited from choosing to use their NRIC numbers as their preferred identifiers, for example, as their membership or login IDs. Individuals should make their own assessment of the risks associated while using their NRIC numbers for purposes that do not require it. Organisations are not expected to implement a form verification code to reject the NRIC numbers in online forms that allow individuals to type in free text.  

Organisations should review their existing business practices to ensure that their practices are aligned with the PDPC's Advisory Guidelines on NRIC numbers. This would include assessing whether the identification numbers (or copies of ID) in their possession or under their control are required under any law or necessary to accurately establish or verify the identity of the individual to a high degree of fidelity. Organisations should not keep the personal data after it is no longer necessary for the purposes for which the personal data was collected or for any legal or business purpose.

Organisations that collect partial NRIC numbers containing more than the last three numerical digits and checksum of an individual's NRIC number (e.g. SXX34567A) should review their practices and assess whether they should collect just the last three numerical digits and checksum of the individual's NRIC number instead.

Organisations will need to ensure that the necessary operational changes to business practices are made before 1 September 2019.

In the event that the PDPC receives a complaint on the collection, use or disclosure of NRIC numbers contrary to the positions set out in the PDPC's advisory guidelines after 1 September 2019, the PDPC will investigate the matter to establish whether there is a breach of the PDPA. In the event that the failure to adhere to the guidance provided results in a breach of the Data Protection Provisions, the penalties under the PDPA will apply.

SMEs that would like to automate and align their operations with PDPC's updated Advisory Guidelines on NRIC numbers may consider adopting pre-approved solutions available at SME Portal Tech Depot, such as Customer Relationship Management (CRM), Point of Sales (PoS) and Visitor Management System (VMS) solutions, that allow the use of alternative identifiers apart from NRIC numbers.

SMEs may apply for a Productivity Solutions Grant, which provides up to 70% funding support, administered by Enterprise Singapore.