From 1 September next year, it is unlawful for organizations to collect, use or disclose the NRIC numbers of individuals or to make copies of the card, under stricter rules of the Personal Data Protection Commission (PDPC).
The watchdog for privacy also warned companies that, unless legally required, it is illegal to physically hold a person's NRIC physically.
In a media statement yesterday, it said: "In today's digital economy, careless collection or negligent treatment of NRIC numbers may increase the risk of unintentional disclosure and result in NRIC numbers being used for illegal activities such as identity theft or fraud. " It added that such risks occur because the NRIC number is a permanent and irreplaceable means of identification.
The committee adhered to its proposed guidelines when introducing stricter rules – which were publicly consulted from November to December last year.
However, NRIC numbers or copies of the NRIC can be obtained or shared if they are required by law, such as when subscribing to a new telephone line, making an appointment with a doctor or checking in at a hotel.
NRIC data can also be collected when it is necessary to accurately verify the identity of a person "with a high degree of fidelity", such as for transactions related to healthcare, financial or real estate matters, and when this does not happen, this can compromising safety or causing significant damage.
In such cases, organizations must ensure that they take adequate security measures for the data that comply with the Personal Data Protection Act (PDPA).
Organizations can get a fine of up to $ 1 million for ignoring the law.
The updated guidelines do not apply to the government or a public entity or organization that acts on its behalf.
A spokesman for Smart Nation and Digital Government Office told The Straits Times that the government is the issuing authority for the NRIC, and used it rightly to "fulfill its functions and services in a safe way with citizens".
But the spokesman added that "the government will review its processes to ensure that government agencies restrict the use of NRIC numbers and the retention of physical NRICs to transactions where such use is legally required or necessary to to accurately establish the identity of individuals. "
Private organizations that have collected NRIC numbers are encouraged to check whether it is necessary to keep these numbers and, if not, they must be disposed of in a responsible manner and in accordance with the PDPA disposal methods by next year.
Those who decide to keep their collection must ensure sufficient protection, or choose to anonymize the data.
The updated rules for NRIC numbers also apply to other national identification numbers, including the driving license. Although passports are replaced periodically, the committee said that organizations should also avoid the full passport number of individuals, unless this is justified.
The committee also said that partial NRIC numbers are still regarded as personal data under the law, because an individual can be identified by this.
He reiterated that organizations that collect partial NRIC numbers (up to the last three digits and letters) still have to comply with the data protection provisions of the law and take steps to ensure that these data are protected and not made public.
The committee proposed alternative identifications, such as IDs, sequence numbers or QR-codes issued by the organization by the organization or by users.
Together with the Infocomm Media Development Authority (IMDA), the PDPC helps organizations adjust by publishing a technical guide on replacing the NRIC number with alternative identification data.
The commission and IMDA will identify pre-approved technology solutions that companies can include. They will also develop stencil documents that organizations can use to manage customer expectations during the transition period.