Complying with Singapore PDPA for National Identification Numbers?

The Personal Data Protection Commission (PDPC) of Singapore updated its national registration identity card (NRIC) rules to enhance consumer protection from 1st Sep 2019. This data protection policy was put in place by the Singapore government to comply with the Personal Data Protection Act.

1. If not required by law, companies are not allowed to obtain user’s/customer’s NRIC number. Thus, requesting for photocopy of identity document in this instance, will be absolutely illegal.
   • Such instances include but are not limited to redemption of free parking, signing up for retail membership, submitting feedback or registering interest in a product/service, online purchase of movie tickets, and participating in a lucky draw.
2. Companies can only collect and use NRIC number if required by law, or when it is necessary to accurately establish or verify the identity of an individual to a high degree of fidelity.
   • Examples of such instances are: seeking medical treatment, checking into hotels, subscribing to mobile telephone lines, enrolling into private education institutions, and new employees joining an organisation.

The ruling isn’t just limited to citizens’ and permanent resident’s NRIC, but also Foreign Identification Number (FIN), NRIC data, Work Permit number, Birth Certificate number, as well as any document containing these numbers.

Check-out the Advisory Guidelines (PDF).

Alternatives to NRIC

In event where your business is not allowed to collect user’s NRIC, some alternatives suggested by PDPC are:

1. User-generated ID
2. Tracking number
3. QR code
4. Monetary deposit
5. Partial NRIC (e.g. last 3 numerical digits and checksum of IC)

Protect Your Customer’s IC Document

And to organisations who are allowed to collect customer’s NRIC, you may want to consider taking measures to uphold information security, and to protect your customer’s personal data.

Many businesses are operated on external sales or dealer networks. Taking the mobile network operator as an example, a subscription to prepaid or postpaid mobile service often involves a touchpoint operated by a dealer. In such instances, as the customer’s identity document is captured as part of the sign-up process, the customer’s IC is exposed to the risk of document mishandling and disclosure of sensitive personal data without the customer’s consent.

1. If the customer’s IC document is captured as a photo from the mobile registration app, the photo is likely to be available as a copy that is re-distributable without being “crossed” or watermarked.
2. If customer’s IC document is copied using an imaging device, there is a chance that multiple copies can be made easily with the touch of a button. This can lead to identity theft of the affected individual’s NRIC details.

Using OCR in Mobile Sales App to Capture Customer’s IC

A tested solution to address the above-described issue of mishandled IC document is by incorporating OCR (optical character recognition) function into your mobile point of sales app. By using OCR, NRIC can be easily scanned from the mobile app within 2 seconds:

1. Firstly, the OCR technology makes sure that your sales representative is scanning the correct NRIC document, and not any other unexpected input.
2. NRIC details such as NRIC number and full name can be automatically populated into your registration/enrolment form.
3. At the same time, an image of the NRIC document is automatically captured and automatically imposed with watermark that describes the purpose of this document image, such as “ for Company XYZ service sign-up purpose only ”.

OCR demo using an altered NRIC specimen

All these, happen within a few seconds. Your sales representative will not be able to keep a copy of the original NRIC document without any watermark imposed. Even when s/he attempts to perform a screen capture, your mobile sales app has already automatically imposed a watermark that only shows a partial NRIC number at best. As compared to the traditional method of making photocopies of NRIC documents, digital capture promotes a higher degree of customer privacy protection and safeguards sensitive data.

Through a partnership with Microblink , one of the world’s best mobile OCRs for ID document scanning, we are already serving a number of mobile network operators in Malaysia to address identity theft issues using the OCR method as described above. These implementations account for tens of thousands of telco providers nationwide. Not only is the identity theft issue being addressed, but the sign-up process for prepaid registration has also decreased from 15 minutes to less than 3 minutes.

We already support OCR scanning of Singapore’s NRIC. It works even in offline mode. Checkout our demo app – EMAS ID, available for Android and iOS .