Parliament Sitting on 1 October 2018

QUESTION FOR WRITTEN ANSWER


2306. Ms Rahayu Mahzam:
To ask the Minister for Communications and Information in light of the updated Advisory Guidelines issued by the Personal Data Protection Commission for NRIC and other national identification numbers (a) what are the initiatives that will be taken to ensure organisations review and implement the necessary changes to their business practices and processes to be aligned to the guidelines; (b) how will enforcement be carried out to check on organisations who continue to inappropriately collect NRIC numbers and ensure those who had previously done so dispose of these sensitive data in a proper manner; and (c) what is the platform and process for consumers or members of the public who wish to make a report on organisations who inappropriately collect NRIC numbers.

Answer:

Mr Speaker, the Personal Data Protection Commission, or PDPC, recently updated its Advisory Guidelines on the collection, use and disclosure of NRIC and other national identification numbers. In summary, the Guidelines set out that organisations are allowed to do so only if it is required by the law, or if it is necessary to accurately establish or verify an individual’s identity to a high degree of fidelity.

2 The PDPC, together with the Infocomm Media Development Authority, or IMDA, is adopting a two-pronged approach to help organisations align their practices with the Guidelines.

3 Firstly, PDPC is increasing awareness among organisations of the Guidelines through its outreach activities. For example, PDPC has briefed trade associations on the Guidelines. PDPC will also be carrying out additional briefings and producing collaterals for distribution to companies.

4 Secondly, PDPC and IMDA are providing organisations with technical support to make the transition. These include a technical guide on alternatives to NRIC numbers for websites and public facing computer systems; a template to notify customers of the organisation’s efforts and timeframe to comply with the Guidelines; and pre-approved solutions that organisations can adopt, such as visitor management and customer management systems. Organisations can reach out to PDPC or PDPC’s panel of Data Protection Advisors for assistance.

5 To allow organisations adequate time to review and refine their existing business practices and processes to comply with the Guidelines, they will take effect on 1 September 2019. Thereafter, individuals who encounter non-compliance can lodge a complaint with the PDPC. PDPC will review each complaint and take appropriate actions, such as directing non-complying organisations to dispose of the data and imposing financial penalties.   

 
MCI’s response to PQ on RuPauls' Drag Race show Parliament QAs Infocomm Media 15 Jan 19
Statement by Mr S iswaran, Minister-in-Charge of Cybersecurity, on the Government’s response to the report of the Committee of Inquiry into the cyber attack on SingHealth, during Parliamentary Sitting on 15 January 2019 Parliament QAs, Speeches Cyber Security, Personal Data 15 Jan 19
MCI’s response to PQ on measures to protect personal data of Facebook users Parliament QAs Personal Data 14 Jan 19
MCI’s response to PQ on telco operators’ call centres Parliament QAs Infocomm Media 14 Jan 19
Speech by Mr S Iswaran, Minister for Communications and Information, at the opening of Library@HarbourFront on 12 Jan 2019 Speeches Libraries 12 Jan 19
Public Report of the Committee of Inquiry (COI) into the cyber attack on Singapore Health Services Private Limited Patient Database Press Releases Cyber Security 10 Jan 19