Firms must protect customers’ NRICs, Latest Views News - The New Paper

Firms must protect customers’ NRICs

This article is more than 12 months old

Organisations must review existing practices on management of confidential data

The Society of Tourist Guides has recently been investigated by the Personal Data Protection Commission (PDPC) for failure to secure the personal data of its members.

Images of member NRICs and driving licences were found to be publicly accessible on its website, in yet another case of a personal data breach.

Although cited by its spokesman as a genuine mistake, the information could have easily been used by data thieves for nefarious purposes.

For Singaporeans, our NRIC is assigned to us and acts as a unique identifier for many purposes.

Originally created as an administrative tool by the Government, organisations have grown accustomed to using it as a means of customer verification.

Anyone that gains access to an individual's NRIC number can unlock a repository of information such as credit card details, financial claims or even legal statements.

Individuals that manage to obtain access to our NRIC numbers are privy to confidential information, which they can use to commit fraud.

The recent case involving the Society of Tourist Guides clearly shows greater awareness needs to be raised on the severity of a data breach, especially involving NRIC details.

It is important for organisations to stay alert for any signs of a potential data breach, given the severe repercussions that could follow, including a hefty $1 million fine by the PDPC and a loss of trust with customers.

In fact, the PDPC's guidelines to stop the unnecessary collection of NRIC details is a good move to protect customers from any potential harm.


To prepare for these new guidelines, Shred-it released a guidebook to help organisations understand the new guidelines, provide tips on how organisations can comply with them and how individuals can protect their NRIC details.

Organisations need to review their operating procedures with regard to the management of data and determine if these are sufficient to prevent a data breach from happening.

Ensuring that documents are not simply thrown into a recycling bin, and destroying all unnecessary confidential information are some considerations to be made.

In addition, a review of existing data should be undertaken and repositories containing personal data such as NRIC details should be flagged. With these documents and data, they should consider whether they are permitted to retain such information under any law or whether exceptions apply.

With data breaches being reported frequently around the world, an organisation's data protection officer serves a vital function to guard an organisation's confidential data.

Reviewing existing practices to ensure the company complies with the new guidelines should be the officer's priority.

This can be achieved by identifying potential risk areas within the organisation and making sure employees understand what is necessary for maintaining a secure data environment, such as regularly holding awareness workshops.

Organisations can consider appointing a law firm to assist in reviewing their policies and practices to ensure they are in line with the guidelines.

With the NRIC being a document that holds such tremendous importance, individuals should be careful not to carelessly give away NRIC details.

Organisations, on the other hand, need to exercise greater responsibility to protect such critical personal information and prevent them from falling into the wrong hands.

The writer is general manager at Shred-it Singapore, an information security company that provides data protection advice, shredding and recycling services.