Parliament Sitting on 1 October 2018 QUESTION FOR WRITTEN ANSWER 2306. Ms Rahayu Mahzam: To ask the Minister for Communications and Information in light of the updated Advisory Guidelines issued by the Personal Data Protection Commission for NRIC and other national identification numbers (a) what are the initiatives that will be taken to ensure organisations review and implement the necessary changes to their business practices and processes to be aligned to the guidelines; (b) how will enforcement be carried out to check on organisations who continue to inappropriately collect NRIC numbers and ensure those who had previously done so dispose of these sensitive data in a proper manner; and (c) what is the platform and process for consumers or members of the public who wish to make a report on organisations who inappropriately collect NRIC numbers. Answer: Mr Speaker, the Personal Data Protection Commission, or PDPC, recently updated its Advisory Guidelines on the collection, use and disclosure of NRIC and other national identification numbers. In summary, the Guidelines set out that organisations are allowed to do so only if it is required by the law, or if it is necessary to accurately establish or verify an individual’s identity to a high degree of fidelity. 2 The PDPC, together with the Infocomm Media Development Authority, or IMDA, is adopting a two-pronged approach to help organisations align their practices with the Guidelines. 3 Firstly, PDPC is increasing awareness among organisations of the Guidelines through its outreach activities. For example, PDPC has briefed trade associations on the Guidelines. PDPC will also be carrying out additional briefings and producing collaterals for distribution to companies. 4 Secondly, PDPC and IMDA are providing organisations with technical support to make the transition. These include a technical guide on alternatives to NRIC numbers for websites and public facing computer systems; a template to notify customers of the organisation’s efforts and timeframe to comply with the Guidelines; and pre-approved solutions that organisations can adopt, such as visitor management and customer management systems. Organisations can reach out to PDPC or PDPC’s panel of Data Protection Advisors for assistance. 5 To allow organisations adequate time to review and refine their existing business practices and processes to comply with the Guidelines, they will take effect on 1 September 2019. Thereafter, individuals who encounter non-compliance can lodge a complaint with the PDPC. PDPC will review each complaint and take appropriate actions, such as directing non-complying organisations to dispose of the data and imposing financial penalties.