“Please provide us with your NRIC details” is hereby disallowed!
In August 2018, the Personal Data Protection Commission (PDPC) published the Advisory Guidelines on the PDPA for NRIC and other National Identification Numbers. The guidelines clarify how the Personal Data Protection Act (PDPA) regulation applies to the way organisations collect, use, and disclose NRIC numbers (or copies of NRIC), and retain physical NRICs.
The treatment for NRIC numbers also applies to Birth Certificate numbers, Foreign Identification Numbers (FIN) and Work Permit numbers, collectively referred to in these guidelines as ‘other national identification numbers’.
The guidelines state that an organisation may collect, use or disclose a person’s NRIC number with notification and consent, when it is necessary to accurately establish or verify the identity of the individual to a high degree of fidelity.
- In summary, your bank and law firms are able to collect this details for the purpose of helping you with your property transaction matters!
- Property agencies and agents may also collect your NRIC/ FIN /Work Permit numbers of their clients, specifically for the purposes of facilitating property transactions, such as:
- Carrying out responsibilities mentioned in the Professional Service Manual, e.g. confirming the identity of the client, confirming the owner of the property and the property details, completing the Prescribed Estate Agency Agreements, and
- Assisting clients to complete other forms and agreements related to the property transactions such as tenancy agreements and Option to Purchase forms.
Note: When property agencies and agents collect a copy of your clients’ identification numbers (e.g. copies of any identification documents bearing national identification numbers such as NRICs, driver’s licences, or employment passes), they are also considered to have collected personal data related to the identification numbers. So they are subjected to the Data Protection Provisions of the PDPA for that collection.
This applies to property transactions as the inability to accurately identify an individual to a high degree of fidelity may pose a risk of significant impact or harm to an individual and/or the organisation. Such harm could include financial, personal or proprietary damage. See paragraph 3.13b of the guidelines.