1
hot news TODAY • THURSDAY 11 JULY 2013 4 As a best practice, organisations should avoid over-collecting personal data, including NRIC numbers, where this is not required for their business or legal purposes. Personal Data Protection Commission Businesses want more clarity on Personal Data Protection Act ASHLEY CHIA [email protected] SINGAPORE — The newly-enacted Per- sonal Data Protection Act (PDPA), which requires individuals to be in- formed and consent gained if organi- sations are collecting personal data, does not prescribe the circumstances under which NRIC numbers should be provided — posing a conundrum for some organisations here as they ad- just their policies and practices. The collection of NRIC numbers is a common practice among a variety of businesses here and those which spoke to TODAY said it serves verifi- cation and audit purposes to ascertain a person’s identity and they would like more clarity on the laws. For example, telecommunications companies need customers’ NRIC numbers for regulatory requirements and some businesses ask visitors for NRIC numbers before they are allowed to enter secured office premises. Responding to TODAY’s queries, a spokesperson for the Personal Data Protection Commission (PDPC) said it will be publishing the final adviso- ry guidelines to organisations before the end of this year. It had conducted two public consultations — one ended in April, the other last month — after it published an initial set of advisory guidelines on its website. The Act does not prescribe the type of personal information an organisa- tion can collect. Nevertheless, the PD- PC guidelines said: “As a best practice, organisations should avoid over-col- lecting personal data, including NRIC numbers, where this is not required for their business or legal purposes. Or- ganisations should consider whether there may be alternatives available that address their requirements.” TGIF Bazaars, the operator for Sentosa’s Boardwalk Bazaars, said it needed vendors to produce either their NRIC, passport, Work Pass or business registration numbers in or- der to secure a booth. Its spokesman pointed out that these identification numbers are the “only known ways” to validate the le- gality of a vendor’s participation and it is “a part of our responsibility” to re- quest for such information. These num- bers may also be needed for accounting and audit and may also be “required” by the authorities here, he added. SingTel said it had several ways to verify the identity of its customers. Act does not prescribe the type of personal information an organisation can collect “At our shops, verification is done by checking customers’ NRIC. Another way is to send a one-time password to customers’ mobile phone via SMS,” said a company spokesperson. While it does not share person- al information with any third-party organisations without consumers’ expressed permission, SingTel said NRIC numbers are collected as part of regulatory requirements when cus- tomers subscribe to its services. During the PDPC’s public consul- tation in April, some companies also called for the commission to provide more clarity on the use and collection of NRIC numbers. For example, the Singapore Press Holdings asked for clarification on whether an individu- al can be refused entry into secured office premises if they object to their NRIC card being retained. The PDPC had previously noted that NRIC numbers are of “special concern” to individuals as they are unique to each person and are used in many official transactions with the Government. Government agencies and statuto- ry boards are excluded from the law — which was passed in Parliament in October last year — as they are gov- erned by internal rules, most of which have not been made public. Organisations have 18 months to adjust to the Act, between January this year and July next year, when the rules come into force. Under the Act, organisations must make “reasonable” security arrange- ments to protect personal data in its possession or under its control in or- der to prevent unauthorised access, collection, use, disclosure, copy- ing, modification, disposal or “simi- lar risks”. The PDPC noted that there is no “one size fits all” solution for organ- isations to comply with the new law and each organisation should consider adopting security arrangements that are “reasonable and appropriate in the circumstances”. “Organisations such as TGIF Ba- zaars are advised to review their proc- esses that involve personal data, in- cluding NRIC numbers, to ensure that they comply with the PDPA when the act comes into effect. There is no en- forcement during the transition peri- od,” the PDPC spokesperson said. CONCERN OVER COLLECTION OF NRIC NUMBERS

Businesses want more clarity on pdpa

Embed Size (px)

Citation preview

Page 1: Businesses want more clarity on pdpa

hot news today • thursday 11 July 20134

As a best practice, organisations should avoid over-collecting

personal data, including NRIC numbers, where this is not required for their business or legal purposes. Personal Data Protection Commission

Businesses want more clarity on Personal Data Protection Act

Ashley [email protected]

SINGAPORE — The newly-enacted Per-sonal Data Protection Act (PDPA), which requires individuals to be in-formed and consent gained if organi-sations are collecting personal data, does not prescribe the circumstances under which NRIC numbers should be provided — posing a conundrum for some organisations here as they ad-just their policies and practices.

The collection of NRIC numbers is a common practice among a variety of businesses here and those which spoke to TODAY said it serves verifi-cation and audit purposes to ascertain a person’s identity and they would like more clarity on the laws.

For example, telecommunications companies need customers’ NRIC numbers for regulatory requirements and some businesses ask visitors for NRIC numbers before they are allowed to enter secured office premises.

Responding to TODAY’s queries, a spokesperson for the Personal Data Protection Commission (PDPC) said it will be publishing the final adviso-ry guidelines to organisations before the end of this year. It had conducted two public consultations — one ended in April, the other last month — after it published an initial set of advisory guidelines on its website.

The Act does not prescribe the type of personal information an organisa-tion can collect. Nevertheless, the PD-PC guidelines said: “As a best practice, organisations should avoid over-col-lecting personal data, including NRIC numbers, where this is not required for their business or legal purposes. Or-ganisations should consider whether there may be alternatives available that address their requirements.”

TGIF Bazaars, the operator for Sentosa’s Boardwalk Bazaars, said it needed vendors to produce either their NRIC, passport, Work Pass or business registration numbers in or-der to secure a booth.

Its spokesman pointed out that these identification numbers are the “only known ways” to validate the le-gality of a vendor’s participation and it is “a part of our responsibility” to re-quest for such information. These num-bers may also be needed for accounting and audit and may also be “required” by the authorities here, he added.

SingTel said it had several ways to verify the identity of its customers.

Act does not prescribe the type of personal information an organisation can collect

“At our shops, verification is done by checking customers’ NRIC. Another way is to send a one-time password to customers’ mobile phone via SMS,” said a company spokesperson.

While it does not share person-al information with any third-party organisations without consumers’ expressed permission, SingTel said NRIC numbers are collected as part of regulatory requirements when cus-tomers subscribe to its services.

During the PDPC’s public consul-tation in April, some companies also called for the commission to provide more clarity on the use and collection of NRIC numbers. For example, the Singapore Press Holdings asked for clarification on whether an individu-al can be refused entry into secured office premises if they object to their NRIC card being retained.

The PDPC had previously noted that NRIC numbers are of “special concern” to individuals as they are unique to each person and are used in many official transactions with the Government.

Government agencies and statuto-ry boards are excluded from the law — which was passed in Parliament in October last year — as they are gov-erned by internal rules, most of which have not been made public.

Organisations have 18 months to adjust to the Act, between January this year and July next year, when the rules come into force.

Under the Act, organisations must make “reasonable” security arrange-ments to protect personal data in its possession or under its control in or-der to prevent unauthorised access, collection, use, disclosure, copy-ing, modification, disposal or “simi-lar risks”.

The PDPC noted that there is no “one size fits all” solution for organ-isations to comply with the new law and each organisation should consider adopting security arrangements that are “reasonable and appropriate in the circumstances”.

“Organisations such as TGIF Ba-zaars are advised to review their proc-esses that involve personal data, in-cluding NRIC numbers, to ensure that they comply with the PDPA when the act comes into effect. There is no en-forcement during the transition peri-od,” the PDPC spokesperson said.

concern over collectIon oF nrIc nuMBers

1. Clarity PACS - icrcompany.com PACS... · Clarity PACSTM – Troubleshooting Questions s 1. Clarity PACSTM Troubleshooting Questions 1.1 Trouble Shooting the Clarity Archive 1.1.1

1. Clarity PACS - icrcompany.com PACS... · Clarity PACSTM – Troubleshooting Questions s 1. Clarity PACSTM Troubleshooting Questions 1.1 Trouble Shooting the Clarity Archive 1.1.1

Documents
Timelines of the Thailand’s PDPA establishment and news on

Timelines of the Thailand’s PDPA establishment and news on

Documents
Sentence clarity

Sentence clarity

Documents
การปฏิบัติตาม PDPA · 2020. 12. 24. · การปฏิบัติตาม pdpa ดร.สุนทรีย์ส่งเสริม ส านักงานคณะกรรมการคุ้มครองข้อมูลส่วนบุคคล

การปฏิบัติตาม PDPA · 2020. 12. 24. · การปฏิบัติตาม pdpa ดร.สุนทรีย์ส่งเสริม ส านักงานคณะกรรมการคุ้มครองข้อมูลส่วนบุคคล

Documents
PDPA compliance for fund management companies

PDPA compliance for fund management companies

Documents
PDPA LDV Family Brochure

PDPA LDV Family Brochure

Documents
Borang PDPA Untuk Pelanggan

Borang PDPA Untuk Pelanggan

Documents
CLARITY PVC CLARITY aluminio CLARITY mixta - haushogar.comhaushogar.com/wp-content/uploads/2014/06/ficha-tecnica-clarity-pvc.pdf · CLARITY PVC CLARITY aluminio CLARITY mixta

CLARITY PVC CLARITY aluminio CLARITY mixta - haushogar.comhaushogar.com/wp-content/uploads/2014/06/ficha-tecnica-clarity-pvc.pdf · CLARITY PVC CLARITY aluminio CLARITY mixta

Documents
PDPA: Principles and Insights · 5/27/2020  · Thailand PDPA (2019) Indonesia PDP Bill (2020*) Malaysia PDPA (2010) Review of PDPA – includes Applicability to public sector being

PDPA: Principles and Insights · 5/27/2020  · Thailand PDPA (2019) Indonesia PDP Bill (2020*) Malaysia PDPA (2010) Review of PDPA – includes Applicability to public sector being

Documents
Clarity 01:Write for Clarity (明白寫作)

Clarity 01:Write for Clarity (明白寫作)

Documents
Clarity WFM Administration Manual, v5 - help.incontact.com · Clarity WFM Administration Manual, v5.7 8 Clarity Terminology As a Clarity WFM administrator, you will need to understand

Clarity WFM Administration Manual, v5 - help.incontact.com · Clarity WFM Administration Manual, v5.7 8 Clarity Terminology As a Clarity WFM administrator, you will need to understand

Documents
Clinic IA PDPA for Internal auditors

Clinic IA PDPA for Internal auditors

Documents
Cyber Pdpa

Cyber Pdpa

Documents
PDPA Services Brochure (Thai version.) · 2020-02-20 · • แจ งเหตุการละเมิดข อมูลส วนบุคคลแก สำนักงานคณะกรรมการคุ

PDPA Services Brochure (Thai version.) · 2020-02-20 · • แจ งเหตุการละเมิดข อมูลส วนบุคคลแก สำนักงานคณะกรรมการคุ

Documents
Role Clarity, Need for Clarity, Satisfaction, Tension, and

Role Clarity, Need for Clarity, Satisfaction, Tension, and

Documents
Activating Clarity

Activating Clarity

Documents
ADVISORY GUIDELINES ON KEY CONCEPTS IN THE PERSONAL DATA ... · ADVISORY GUIDELINES ON KEY CONCEPTS IN THE PDPA (revised 27 July 2017) 2 Overview of the PDPA 2.1 The PDPA governs

ADVISORY GUIDELINES ON KEY CONCEPTS IN THE PERSONAL DATA ... · ADVISORY GUIDELINES ON KEY CONCEPTS IN THE PDPA (revised 27 July 2017) 2 Overview of the PDPA 2.1 The PDPA governs

Documents
Portfólio digital- ´PDPA 2015.2

Portfólio digital- ´PDPA 2015.2

Education
Singapore Personal Data Protection Act (PDPA)...Singapore Personal Data Protection Act (PDPA) Reed Smith LLP 05 Reed Smith LLP is licensed to operate as a foreign law practice in Singapore

Singapore Personal Data Protection Act (PDPA)...Singapore Personal Data Protection Act (PDPA) Reed Smith LLP 05 Reed Smith LLP is licensed to operate as a foreign law practice in Singapore

Documents
Clarity Chromatography Software Clarity Introduction

Clarity Chromatography Software Clarity Introduction

Documents
Pdpa presentation

Pdpa presentation

Health & Medicine
Pasoco ITSMF,SPMI-PDPA-140626-public

Pasoco ITSMF,SPMI-PDPA-140626-public

Law
Clarity CMS - About Clarity Content Management Solutions

Clarity CMS - About Clarity Content Management Solutions

Technology
Clarity & Commit

Clarity & Commit

Documents
CLARITY M/CLARITY M STEREO - Music Tribedownloads.musictribe.com/documents/tcelectronic/CLARITY M... · 2018-10-31 · 3 CLARITY M/CLARITY M STEREO User Manual Terminals marked with

CLARITY M/CLARITY M STEREO - Music Tribedownloads.musictribe.com/documents/tcelectronic/CLARITY M... · 2018-10-31 · 3 CLARITY M/CLARITY M STEREO User Manual Terminals marked with

Documents
Data clarity

Data clarity

Small Business & Entrepreneurship
HUAWEI CLOUD Compliance with Singapore PDPA · HUAWEI CLOUD Compliance with Singapore PDPA Globally Released 1. Introduction 1.1. Scope of Application The information provided in

HUAWEI CLOUD Compliance with Singapore PDPA · HUAWEI CLOUD Compliance with Singapore PDPA Globally Released 1. Introduction 1.1. Scope of Application The information provided in

Documents
Virulence factors in Francisella noatunensis : pdpA

Virulence factors in Francisella noatunensis : pdpA

Documents
FFR/iFR/PdPa/RFR Caveats: What are the Traps, Common ...FFR/iFR/PdPa/RFR Caveats: What are the Traps, Common Physician Errors Morton J. Kern, MD Chief of Medicine, VA Long Beach HCS

FFR/iFR/PdPa/RFR Caveats: What are the Traps, Common ...FFR/iFR/PdPa/RFR Caveats: What are the Traps, Common Physician Errors Morton J. Kern, MD Chief of Medicine, VA Long Beach HCS

Documents
CONTENTSCONTENTS PREFACE 1. In Search of Hafizullah Amin 6 2. Three Revolutionaries 12 3. A House Divided: the PDPA, 1965-1973 25 4. The Making of a Revolution: the PDPA, 1973-1978

CONTENTSCONTENTS PREFACE 1. In Search of Hafizullah Amin 6 2. Three Revolutionaries 12 3. A House Divided: the PDPA, 1965-1973 25 4. The Making of a Revolution: the PDPA, 1973-1978

Documents