Parliament Sitting on 5 October 2021

QUESTION FOR WRITTEN ANSWER


57. Mr Gan Thiam Poh: To ask the Minister for Communications and Information regarding the use of NRICs in applications for telecommunication access (a) what measures are in place to increase protection of users' information obtained by telecommunication providers; (b) whether the Ministry will consider allowing other forms of identification, such as driver licences, which have less personal information; and (c) whether the Ministry will consider imposing penalties and compensation to users based on the severity of breaches.

Answer:

1. The Info-communications Media Development Authority (“IMDA”) requires telecommunication licensees (“telcos”) to maintain accurate records of the identity of their subscribers, including a copy of their NRIC, passport or employment pass. This requirement is not unique to Singapore, nor to the telcos. As is the case for telcos in other countries, or sectors like banking and healthcare, it is necessary to have accurate information on customer identity to help combat fraud and crimes. 

2. Organisations that maintain personal records, including NRIC information, are expected to implement the necessary safeguards for their IT systems and put in place processes for internal monitoring. Where personal data, such as NRIC numbers, is stored alongside sensitive data, more stringent security measures should be put in place. Some examples of such measures include encryption, access-logging and multi-factor authentication for systems. The Personal Data Protection Commission (“PDPC”) has issued guidance on the stringent security measures required in its Guide to Data Protection Practices for ICT Systems. The PDPC has meted out higher financial penalties to organisations found with inadequate safeguards to protect sensitive personal data. 

3. The  Personal Data Protection Act (“PDPA”) was amended last year to strengthen enforcement powers and introduce additional safeguards which organisations must comply with. This includes informing affected individuals of a data breach so they can take timely steps to protect themselves. As organisations have a responsibility to their customers to ensure proper service recovery, the PDPC has recommended that organisations put in place breach management plans. Affected individuals also have the right of private action for relief in civil proceedings under the PDPA. 

4. In instances where the collection of residents’ personal particulars is required, one option the Government has implemented is Myinfo. This allows residents to consent to sharing government-verified information securely and seamlessly, removing the need for physical documents. We are working with telcos to facilitate the use of Myinfo. 
Opening Remarks by Mrs Josephine Teo, Minister for Communications and Information, at SCS Tech3 Forum on 15 Oct 2021 Speeches Infocomm Media 15 Oct 21
Closing Remarks by Ms Rahayu Mahzam, Parliamentary Secretary, Ministry of Communications and Information, at the DBS Judiciary MCI Hackathon for a Better World 2021 Judging Day on 7 October 2021 Speeches Others 07 Oct 21
Opening Remarks by Ms Sim Ann, Senior Minister of State at the DBS-Judiciary-MCI Hackathon for a Better World 2021 Judging Day Speeches Others 07 Oct 21
Speech by Mr Tan Kiat How, Minister of State for Communications and Information, at the launch of SG Cyber Safe Partnership Programme on 7 October Speeches Cyber Security 07 Oct 21
Keynote Address by Dr Janil Puthucheary, Senior Minister of State for Communications and Information, at International IOT Security Roundtable on 6 October 2021 Speeches Cyber Security 06 Oct 21
Speech by Dr Janil Puthucheary, Senior Minister of State for Communications and Information, at Yellow Ribbon Singapore's Graduation Ceremony for 1st Batch of Media Graduates on 6 October 2021 Speeches Infocomm Media 06 Oct 21