July 12, 2018

NRICS Personal Data Collection, Confidential Shredding

Information that can be used to identify you, such as full names, mobile numbers, residential address, personal email addresses, credit card numbers and NRIC, is classified as “personal data”. Your personal data is considered very valuable by organisations, who wish to serve you better, however this same data is often sought after by criminals for various illegal purposes such as identity theft or card fraud, where more than one in three Singaporean consumers fall prey to.

In Singapore, your personal data is protected by the Personal Data Protection Act (PDPA). The PDPA, which came into force back in July 2014, helps prevent the indiscriminate collection of personal data and ensures that organisations who collect it are fully accountable for how they use, store and ultimately dispose of it.

We tend to overlook the fact that we share our personal data with different organisations every day, often without thinking twice about what the information will be used for or what happens to it after the organisations are done with it. One of the most common ways we share such information in Singapore is by giving out our NRIC to organisations such as shopping mall operators to track various things such as managing membership accounts, tracking parking redemptions and conducting lucky draws.

By mid-2018, shopping mall operators will be prohibited from asking for your NRIC number for such purposes as part of the newly revised privacy rules of the Personal Data Protection Commission (PDPC) to protect your identity from fraud. NRIC numbers are particularly valuable for fraudsters because, unlike credit card numbers for example, they are allocated to you for life and cannot be changed easily.

However, even though NRICs will no longer be collected as frequently, it is important to remember that the information reflected on the NRIC, such as your name, date of birth, etc. may still be collected and kept – either physically on paper or keyed into a digital system. All collected data is kept and “there to stay” until it is thrown away. If organisations are careless in their disposal methods, there is a possibility of criminals getting their hands on it between the rubbish bins and processing plants that destroys or recycles the documents or hard drives.

If the collected data is not stored properly, such as documents with confidential information lying around in the office, the data can be accessed by unauthorised persons including contractors, janitors, other staff. This can result in the data being stolen or improperly disposed of and opens the door to a variety of illegal activities including identity theft and money laundering, using your identity. All data collected by organisations must be disposed of properly with security in mind. This can be done through rigorous workplace procedures such as a Shred-it All Policy. Organisations can also partner with a document destruction expert for a secure disposal of confidential information for the secure shredding of paper documents, hard drives and electronic media.

We must keep in mind that our personal data is valuable and precious. Under the PDPA, you have the right to decide which organisations can collect your data, how it is used and whether it can be shared. At times, it might not even be necessary for you to provide your personal data at all for companies to provide their services to you. You also have the right to tell an organisation to stop collecting, using or disclosing your personal data. As an individual, you also have the right to demand that companies dispose of your personal data securely. Keep this in mind next time someone asks you to hand over your personal information.

Secure Shredding to help protect your business

To learn more about how Shred-it can protect your documents and hard drives, please contact us for a free quote and security risk assessment.