THE Personal Data Protection Commission (PDPC) agrees with Mr Chan Kwang Ping that NRIC numbers are sensitive personal information and should not be disclosed indiscriminately ("Keep IC numbers confidential"; May 2).
Under the Personal Data Protection Act (PDPA), organisations collecting personal data, including NRIC numbers, have to inform the individuals and seek their consent for the collection, use and disclosure of such data.
The PDPC understands that organisers of seminars and courses sometimes require NRIC numbers for verification and processing of reimbursement of course fees.
The onus is on the organisations to put in place necessary measures to protect the data collected.
As a best practice, organisations should avoid overcollecting personal data where this is not required for their business or legal purposes.
Organisations should consider if there may be alternatives available that meet their needs.
Mr Chan also raised the example of lucky draws. The PDPC has issued guidelines to organisations that when publishing personal data of the lucky draw winners, they should reveal only a portion of the NRIC number.
Organisations should use the full NRIC number only when necessary, for example, to confirm the identity of someone collecting a prize.
The PDPC will review and enhance current advisory guidelines on our website, so as to provide more clarity on the application of the PDPA to NRIC numbers.
We will also include information on good practices that organisations should consider when collecting, using and disclosing NRIC numbers.
Evelyn Goh (Ms)
Director
Communications, Planning and Policy
Personal Data Protection Commission
