When was the last time your organisation asked for a person’s NRIC in exchange for a visitor’s pass, or required a person to provide his/her NRIC number in order to sign up for a rewards programme? These practices will soon be – if they are not already – a thing of the past.
From 1 September this year, organisations can only collect a person’s NRIC number, or make photocopies of the NRIC, if the act is required by law or necessary to identify a person to a high degree of accuracy. Retention of a person's NRIC is governed even more strictly; this is only allowed if it is required by law.
The same guidelines apply to other unique identifiers such as the Foreign Identification Number (FIN), Work Permit number, Birth Certificate number and Passport number.
Explaining the rationale behind this position, PDPC said, “In today's digital economy, indiscriminate collection or negligent handling of NRIC numbers can increase the risk of unintended disclosure and may result in NRIC numbers being used for illegal activities such as identity theft or fraud.”
What constitutes as a requirement under the law is usually quite straightforward. It is often backed by a legislation or regulation. For example, when a person is seeking medical treatment at a clinic, entering into an employment contract, or enrolling into a private education institution.
But what exactly does necessary to identify a person to a high degree of accuracy mean? Two criteria prevail – where failure to do so may pose a significant safety or security risk, or pose a risk of significant impact or harm to an individual and/or the organisation. Typical examples would include insurance applications and claims, or disbursements of substantial financial aid.
Organisations that collect partial NRIC numbers up to the last 4 alphanumeric characters are not subjected to the NRIC guidelines per se, but must still ensure that they put in place adequate measures to protect the NRIC details and other personal data. In the run-up to 1 September, several organisations from the Security Services and Retail sectors shared with the PDPC on what they have been doing to prepare themselves for the compliance deadline.
A practice that is not unusual among the security services industry is the retention of NRICs in exchange for a visitor’s pass, to control access to premises such as industrial buildings and educational institutions.
As Mr Haniff Sabar, Senior Assistant Director, Special Duties at TwinRock Global explained, the collection of visitors’ data and the retention of their NRIC is a security measure to ascertain the particulars of a person in the event of a security incident. It also serves as a safety measure to keep track of the identity and number of visitors within the premises or building in the event of an emergency.
In light of the NRIC guidelines, TwinRock has replaced visitor passes with single-use visitor labels to eliminate the need to retain physical NRICs as collaterals for the passes. It is also implementing a mobile application-based visitor management system with a barcode scanning capability that automatically collects only the last three numerical digits and letter of NRIC numbers.
Similarly, Metropolis Security Systems has been reviewing its access control procedures. For example, for assignments that require its security personnel to take down NRIC numbers, only the last three numerical digits and letter are recorded. It also does not use the NRIC as a collateral to exchange for passes.
The primary factor when deciding to collect the NRIC information is whether the premises is mandated by law to collect the NRIC details. Other than that, we will always discuss with clients on the type of other information, such as names and telephone numbers, to be collected from the visitors as other forms of identifiers.
Another security and risk management company, Soverus, has also been advising and working with building owners and managing agents on compliance with the NRIC guidelines, including the assessment of other suitable identifiers that can be used in place of NRIC numbers. At the back end, it has also started to replace existing NRIC numbers in their databases with other identifiers, and use a password-protected Visitor Management System that automatically masks off the first few digits of the NRIC.
In rolling out these changes, some of the key challenges that security services face are managing clients’ expectations and changing staff mindset.
Some clients may also be concerned about potential compromises in security standards with the change in security protocols, said Mr Haniff of TwinRock.
To provide the necessary assurance, it works closely with clients to determine their core needs and concerns before implementing the changes.
“Changes in personal data protection requirements inevitably cause concern and anxiety to businesses because of the possibility that they may have to implement drastic changes in their procedures and protocols,” said Mr Haniff. “The key learning point is to increase awareness and education on the rights of both businesses and members of the public under the PDPA.”
“Mutual understanding is vital to minimise disruptions to daily operations and activities while implementing the changes,” he added.
Security companies are constantly working to educate officers on the ground on the importance of protecting personal data. Metropolis Security Systems, for example, organises regular briefings and training sessions to ensure that their security personnel adhere to PDPA requirements. Its management staff also attend seminars on personal data protection so that they are able to explain the PDPA requirements clearly to clients.
The biggest challenge came in convincing the customers.
In the retail sector, NRIC particulars are often captured when customers register for loyalty membership, purchase or redeem vouchers, or fill in survey forms, or claim lucky draw prizes.
That has changed for many. Retail businesses such as Popular Holdings no longer collects NRIC numbers unless the circumstance warrants the need to accurately prove the customer’s identity. One practice that it has changed from the past is the procedure for claiming lucky draw prizes. Instead of collecting the winners’ full NRIC numbers, Popular Holdings will now only request for their NRIC to verify against the partial NRIC number that was provided by the participants when joining the lucky draws.
“Based on feedback, many of them found it more convenient to use their NRIC to verify their membership status.”
To tackle this, Popular Holdings ensured that proper training is given to all its service staff across different touch points, so that they can help to educate customers that the changes are important to protect their personal data.
“An organisation that goes the extra mile to understand their customers’ perspectives and address their concerns will earn trust in the long run and build a stronger relationship,” said Mr Cham.
For Far East Organization’s Retail Business Group which manages the ShopFarEast Rewards Programme, personal data is collected through the programme’s mobile application, website and shopping mall concierge counters when new members sign up.
We appreciate that there is no room for complacency when it comes to PDPA compliance and being prepared against cyber risk. Since the announcement of the new guidelines on the use of NRIC numbers, we have taken steps to remove all members’ NRICs from our database as well as cease further collection of identification numbers from new members. The main identifier for members of ShopFarEast is now mobile numbers.
For CapitaStar, CapitaLand’s multi-mall, multi-store rewards programme with more than 970,000 members in Singapore, communications about the phasing out of NRIC usage started early, said Mr Reuben Yong, Head of Retail Coalition, CapitaLand Singapore. In October 2018, about a month after the new guidelines were first announced, CapitaStar started reaching out to their members about the upcoming changes and gave them the option of using their mobile number for registration.
With effect from 8 January 2019, the program ceased using NRIC numbers as the primary identifier and stopped collecting NRIC numbers when customers participated in the malls’ activities.
By 1 July 2019, CapitaStar would have instituted the use of mobile numbers as the login ID and deployed QR code scanners at its counters to scan members’ QR code found within the CapitaStar app. This was to help keep its customer’s mobile numbers confidential and speed up the customer service process.
For CapitaVoucher, another consumer product of CapitaLand, partial NRIC/ID numbers will still be collected for all corporate sales/redemptions and counter sales to individuals for amounts above S$10,000. This is in line with directives from the Monetary Authority of Singapore, which are intended to address issues such as money laundering and terrorism financing.
At the back end, CapitaStar’s systems were updated to enable the registration and identification of CapitaStar members without the use of NRIC. Where NRIC had to be captured, for example to log in high transaction amounts for CapitaVoucher, the data was partially masked. Other than these exceptions, all NRIC data was expunged from its database and all communications, backend systems and reports no longer carried NRIC information.
In carrying out these changes, the main challenge that CapitaStar faced lay in balancing customer experience and complying with the new regulations.
A special project team was formed to work closely with its in-house Data Protection Officer to ensure compliance. The team is responsible for educating internal and external stakeholders through active communication, revamping the internal processes and ultimately delivering a seamless customer experience.
“Ensure there are sufficient communication channels with clear and consistent messaging to inform and give assurance to consumers about the change,” said Mr Yong. “Customers usually welcome positive changes that are made to protect them”.