Singapore Adopts Stricter ID Collection RulesBut Security Experts Says Guidance Comes Up Short
In the wake of major data breaches in Singapore, the nation's Personal Data Protection Commission has come out with stricter rules for collection and disclosure of the National Registration Identity Card, or NRIC, and other national identification numbers.
Under the new rules, it's now illegal for organizations to physically hold on to an individual's NRIC as well as collect and store its full number unless gathering that data is specifically required by law or the individual grants permission. The idea is to prevent the routine gathering of NRIC information as a way to help protect privacy. Violations of the new rules can lead to penalties of up to $1 million.
The commission, in a statement published on its website, says the same restrictions also apply to birth certificate numbers, passports, foreign identification numbers and work permit numbers, collectively referred to in the guidelines as "other national identification numbers."
"As NRIC numbers can be used to retrieve data relating to individuals, there is a need to reduce indiscriminate or unjustified collection and negligent handling of NRIC numbers," the commission said in the statement.
Some security practitioners, however, say the new requirements fail to describe the level of protection required for any stored identification information in an enterprises' own computer system or in the cloud.
"There are many places where there is ambiguity with regards to collection of data," says Aloysius Cheang, board director and executive vice president for Asia Pacific at The Center for Strategic Cyberspace + International Studies.
"For instance, if the data is stored in the cloud, the guidelines are not clear on whether or not storing it in overseas location is permitted."
The government's various cybersecurity initiatives come in the aftermath of two major healthcare breaches. In 2018, 1.5 million patient records, reportedly including those of the prime minister, were hacked, according to various news reports. And in March this year, a breach of the National Health Authority exposed the personal information of 800,000 blood donors.
The New Requirements
The commission is requiring organizations that have already collected the NRIC numbers to assess if they need to retain these numbers and, if not, dispose of them responsibly and in compliance with the Personal Data Protection Act disposal methods.
The commission says that if an organization finds it necessary to verify the identity of an individual, it may collect, use or disclose an NRIC number if the individual consents.
Plus, there are cases where use of the NRIC is still required. For example, a patient seeking medical treatment at a clinic will need to provide an NRIC while registering. For subsequent visits, the patient will still be required to provide an NRIC for verification purposes.
And when someone wants to sign up for a mobile phone service with a telecommunication company, the company can ask for NRIC details, the commission points out. The Telecommunications Act require telecommunication companies who provide mobile phone services to collect their customers' NRIC information and keep a copy of the NRIC as evidence of identity.
The commission has suggested alternatives to collecting NRIC information, including collecting partial NRIC numbers.
But even partial numbers are considered personal data under the PDPA, which means that reasonable security arrangements must be made to protect the data from unauthorized disclosure.
"The risks associated with the permanent and irreplaceable nature of the NRIC and the potential to unlock large amounts of information relating to the individual are diminished [when collecting partial numbers] but still exist," Cheang says.
What's 'Reasonable' Security?
Although the new rules call for judicious use of NRIC details and reasonable security precautions, they fail to offer specifics of what constitutes reasonable security practices, some security experts say. They point out, for example, that the rules do not mention encryption.
"In one of the sections of the document it, has been mentioned that organizations storing data electronically must protect it with passwords. In this day and age, why would they recommend passwords and not encryption?" Cheang asks.
"There is the potential of providing a tokenized/randomized one-time use ID number through SMS that would serve in lieu of providing an NRIC," Ray says. "For example, where NRIC data is legally required to be collected by hotels, a one-time use ID code or number could be generated by the NRIC-issuing body. That one-time ID number could only be confirmed by the same NRIC-issuing body at a later date, and not by the hotel which collected it to comply with the law."
The Unique Identification Authority of India, which issues the Aadhaar ID card, has come out with an Aadhaar virtual ID, a temporary, revocable 16-digit random number mapped with the Aadhaar number. This virtual ID can be used in lieu of the Aadhaar number whenever authentication is required.
Ray suggests that in situations where the NRIC is used for confirmation of identity, any form of the collected data should be encrypted, ideally by a file-level encryption tool that could not only maintain the personal data in a secure state, but also allow for secure wiping/erasure of that data to comply with any reasonable or legally prescribed retention period.
The Singapore Personal Data Protection Commission did not respond to a request for comment.