When you visit an office building from the middle of next year, you can refuse to hand your NRIC to the security guard. You can say no too, if you are asked for your identification card for simple things such as card park redemption at a mall.
These routine practices, long criticised by privacy advocates, look likely to be kicked out when proposed regulatory changes by the Singapore data protection watchdog go through. And that’s about time, too.
The Personal Data Protection Commission said yesterday that NRIC details should only be disclosed when a “high level of fidelity” is needed to establish a person’s identity.
This could be when you sign up for a mobile phone line or when you want to enrol your child in a childcare centre, for example. But certainly, not for a lucky draw.
The newly proposed requirements, unveiled on November 7, couldn’t have come earlier. For years, privacy advocates have questioned why security guards, for example, could demand to see a person’s ID and even keep it in exchange for a temporary pass to enter a building.
What could they have done instead? Perhaps use an e-mail address or phone number. Sure, these are also identifiers that are increasingly hard to change (how long have you had your e-mail address or phone number?), but they are not like your NRIC number, which the government will increasingly use to identify you as an individual.
As it moves towards a digital ID system that acts like a virtual counterpart of the NRIC, this important identifier will be used by various agencies to transact with you securely, whether to apply for a flat or pay your taxes. It is something that should become more private, not less.
An NRIC number alone may not seem a big deal, but the details on the NRIC, such as the photo ID, fingerprint, date of birth and address, are sensitive information.
No security guard or mall receptionist should be making a copy of that or keeping it with them. Even if they have no ill intention, what happens if the details are lost or stolen?
So, how will building security and malls identify you in future? One obvious way is through e-mail or mobile phone. These are sensitive too, but are far more public, in the sense that they are information you need to share to communicate with people.
The cost might go up for some operations, and you can expect some grumbling from the private sector (thus the public consultation that the proposals are going through now). However, the tougher rules are a step in the right direction.
They certainly are a long way from the past, when lucky draw winners’ NRIC numbers were once printed in national newspapers. Today, with more awareness, the public is rightly asking why their information is so loosely handled.
So, come mid-2018, companies will have to find new ways to identify a person. If they continue to collect NRIC details, they could find themselves fined for not following the revised data protection rules.
The one question I have, though, is for government buildings. Even though government agencies are controversially exempt from the regulations, they should practise what they preach, by avoiding the collection of NRIC details unless one is entering a sensitive area.
Ministry of Defence? Okay, make sure you identify yourself. However, if I’m just applying for a permit or paying a fine, I should not be surrendering my NRIC.
What about fingerprint retention used in biometric attendance system?