Singapore moots stricter use of national ID, bill to ease data-sharing within government

Government wants businesses to limit their use of NRIC numbers, which is unique to each Singapore resident, and has proposed a new bill to ease data-sharing between government agencies.
Written by Eileen Yu, Senior Contributing Editor

The Singapore government is reviewing guidelines to limit the use of national identification numbers and has introduced a new bill to ease data-sharing within the public sector.

The Personal Data Protection Commission (PDPC) said it was looking to revise advisory guidelines in the country's Personal Data Protection Act (PDPA) that pertained specifically to the collection, use, and disclosure of NRIC numbers.

Unique to each Singapore resident, these numbers currently were used widely to facilitate various functions including gaining entry to buildings, signing up for customer loyalty programmes, and participating in lucky draws.

Under the proposed revision, PDPC said some of these common business practices would have to change. It cited, for instance, the collection of NRIC numbers from shoppers to track the number of redemptions for free parking as well as use of such numbers of create retail membership accounts.

It noted that the use of these numbers remained necessary as a way to verify the identity of individuals, such as patients seeking medical treatment and to prevent a risk of harm or impact to the organisation or individual, including instances involving high value contracts.

However, due to the wide use of the ID number to access an extensive range of services, the PDPC said it was necessary to review the guidelines involving its application.

"As the NRIC number is a permanent and irreplaceable identifier that can be used to unlock large amounts of information relating to the individual, the indiscriminate collection and use of individuals' NRIC numbers is of special concern, as it increases the risk that the NRIC numbers may be obtained and used for illegal activities such as identity theft and fraud.

"The collection of an individual's physical NRIC, or a copy of it, is also of concern," the commission said. "The physical NRIC not only contains the individual's NRIC number, but also other personal data, such as the individual's full name, photograph, iris image, thumbprint, and residential address"

The proposed revision also would include a provision allowing businesses up to 12 months, after the updated guidelines had been established, to implement the necessary changes in their processes.

Incidentally, the Singapore public sector is excluded from the PDPA.

Bill to ease data-sharing between government bodies

In another announcement made during parliament this week, the government introduced a new bill aimed at cutting red tape and better enabling public sector agencies to share data with each other.

The Public Sector (Governance) Act 2018 seeks to establish a "consistent system of governance and accountability" across government bodies as well as "clarify the accountability relationship" between these government bodies, respective ministers, and employees.

The Singapore government had long touted the importance of data in the country's push to become a smart nation, urging organisations to share and contribute data. It also made available datasets collected by several government agencies to the public, in the hopes that these could spur the development of new products and services.

Currently, government agencies were guided by their own rules with regards to the use of public data. When formally passed, the new bill would put all public agencies and ministries under the same rules as well as empower the head of civil service to collectively instruct all public sector proponents and require them to comply.

The new bill also would enable government agencies to share data amongst themselves "as permitted" under the data-sharing directive, and "despite any obligation as to confidentiality under the common law".

Safeguards had been included in the bill to prevent any misuse of data, for instance, where access to or the disclosure of data had been carried out without the direction to do so.

Individuals found to be guilty of such offences would face fines of up to S$5,000 or imprisonment of up to two years, or both.

Editorial standards