What Personal Information Can Organisations Collect
With the implementation of the new NRIC guidelines
by the Personal Data Protection Commission (PDPC)
on 1 September 2019, organisations in Singapore are no longer allowed to collect, use or disclose NRIC numbers
or even make copies of the identity card. Any organisation found to breach this guideline may face monetary fines of up to S$1million and even face possible reputational loss
. Hence, it is crucial for organisations to be compliant with their data collection processes.
When can organisations collect personal data?
While collection of personal data such as NRIC details
are no longer allowed for most organisations in Singapore, there are a few exceptions
. Here are some examples of organisations who can collect NRIC details as required under the law:
- Clinics and hospitals: Under the Private Hospitals and Medical Clinics Regulations, medical establishments are required to keep accurate and updated records of their patients to ensure that medical treatment is administered to the correct patient.
- Telecommunication companies: As evidence of identity for those who want to subscribe to a new mobile line, telecommunication companies are allowed to collect personal particulars of individuals such as their NRIC numbers.
- Human Resource departments: All employers are required to keep detailed employment records of their employees, including their NRIC numbers and other relevant information as stated under the Employment Act. However, there is no requirement by law to collect NRIC numbers during job applications.
Data Protection Obligations
As indicated by the PDPC, there are nine data protection obligations that organisations need to abide by where personal data is concerned in order to ensure compliance. These obligations include:
- Consent: Individuals need to agree to the collection, use and disclosure of their personal data. Individuals are also entitled to withdraw their consent.
- Purpose: Organisations need to ensure that collection, use or disclosure of personal data is reasonable to the provision of goods or services.
- Notification: Organisations need to inform individuals of the purpose for the collection, use and disclosure of the individual’s personal data.
- Access and Correction: Organisations need to disclose how the individual’s personal data has been utilised for the past year and delete such data upon request. Organisations are also required to correct any errors in the individual’s personal data.
- Openness: Under the PDPC, organisations are required to appoint a Data Protection Officer (DPO) and ensure that they are contactable by the public. Organisations are also required to practice transparency in their data protection practices, policies and complaint-handling processes.
- Protection: Data collected needs to be stored with security features to ensure that it’s protected from any unauthorised access and other threats.
- Accuracy: Strive to keep data collected to be accurate and updated.
- Retention: Organisations are to cease retention and properly dispose of personal data when the purpose of keeping such data has ended.
- Transfers: Ensure that the quality of data protection is in line with the PDPA (Personal Data Protection Act) before transferring any data overseas.
play an essential role in data protection and accountability. They are also encouraged to inform their employees and consumers of their data protection policies
, practices and processes
to ensure protection and transparency when it comes to personal data.
Start Protecting Your Business
An organisation that integrates data protection into its business processes can reduce data breach risks and PDPA non-compliance. Learn more about how Shred-it can protect your documents
us for a free quote and security risk assessment.