December 04, 2018

What do the New PDPC Guidelines on NRIC Mean for You and Your Business?

Singapore’s Personal Data Protection Commission (PDPC) has recently announced[1]that stricter guidelines on the collection of the National Registration Identification Card (NRIC) will be implemented from 1st September 2019. An individual’s NRIC number is a lifelong and unique identifier, which in the wrong hands, could lead to dire long-lasting consequences. These new guidelines are a timely move by the PDPC in light of the recent SingHealth data breach, where the records of 1.5 million patients, including Singapore Prime Minister Lee Hsien Loong, were compromised.

Know Your Personal Data Protection Rights

As there has been a sharp increase in the misappropriation of people’s personal data, it has left many organisations highly vigilant towards the threat of data breaches. Individuals should be aware that they do not have to allow their NRIC numbers and other national identification numbers (or copies of NRIC or other national identification documents) to be collected, used or disclosed, or for their physical NRICs or other national identification documents to be retained, by organisations, unless one of the exceptions apply. For instance, individuals can refuse disclosing their personal details to organisations for purposes such as buying movie tickets, taking part in surveys, signing up for contests and lucky draws, renting a bicycle or redeeming parking coupons. Individuals should also consider asking the relevant organisation if any alternative personal data can be accepted instead (e.g. an email address or a mobile number).

However, there are specific instances where individuals will have to disclose their personal details as a mandatory identifier. These circumstances are those that are required by the law, such as collecting prescribed medication, subscribing to a mobile/internet plan at the telecommunication company, enrolling into an educational institution or checking into a hotel. As good practice, organisations should still notify the individual of the purpose for the collection, use or disclosure.

Preparing for the New PDPC Advisory Guidelines  

In collaboration with a legal partner, Shred-it has created a guidebook to provide the public with more information on how to prepare themselves for the new guidelines. It is crucial that organisations adapt to these new changes or risk being fined by the PDPC and lose customer trust.  

Shred-it’s guidebook sheds light on key topics such as Singapore’s current data protection landscape, what
you need to know about the PDPC’s new guidelines and tips that assist organisations to prepare for this. This is a helpful resource for Data Protection Officers (DPO), responsible for ensuring the organisation’s overall security, to inform themselves on the vital steps required in order to remain proactive in thwarting data breaches whether from external hackers or careless staff.

Timely Reminders to Protect Our Data

The smallest things matter when it comes to data protection. A stray piece of paper containing NRIC numbers left on a table, or throwing a document into a recycling bin without properly destroying it, can result in personal information being left exposed to information thieves, who could use it for their own gain. Inculcating the habit towards maintaining a clean desk policy, shredding all unwanted documents and ensuring that hard drives are disposed of securely are timely reminders for organisations and their staff. It is also vital for individuals and consumers to watch out for the signs of a potential data breach, and to report breaches to the PDPC.

Start Protecting Your Business

Organisations that integrate data protection into their business processes can reduce the risk of a data breach. Learn more about how Shred-it can protect your documents and hard-drives by contacting us for a free quote and a security risk assessment.


[1]PERSONAL DATA PROTECTION COMMISSION. (2018). Main advisory guidelines. [online] Personal Data Protection Commission. Available at: