In Singapore, the
Personal Data Protection Act (PDPA), which became effective on 2 July 2014,
governs the collection, use and disclosure of individuals’ personal data by organizations.
Organizations that fail to comply with PDPA may be fined up to S$1 million and
suffer reputation damage (Morris, 2018). Personal Data Protection Commission
(PDPC) has proposed changes to PDPA guidelines on how companies handle
individuals’ NRIC numbers, collects the physical NRIC or a copy of it on 7
November 2017. As the NRIC number is a permanent and irreplaceable identifier
which can be used to unlock large amounts of information relating to the
individual, the indiscriminate collection and use of individuals’ NRIC numbers
is of special concern as it increases the risk that the NRIC numbers may be
obtained and used for illegal activities such as identity theft and fraud.
Furthermore, the physical NRIC not only contains the individual’s NRIC number,
but also other personal data, such as the individual’s full name, photograph,
thumbprint and residential address (CNA, 2017). Organizations are allowed 12
months to implement changes in the effect of the proposed changes to the new PDPA
guidelines. One of the organizations affected by the new PDPA guidelines is
National Trades Union Congress (NTUC). NTUC was created in 1961 and is
currently the sole national trade union center in Singapore. NTUC has
affiliates that sell insurance, has supermarkets and individual outlets where
they also provide memberships to customers for a special rate to buy a product.
To sign up an NTUC membership, NRIC will be required to identify the individual
is who they claim to be, and is also the best way to uniquely identify everyone.
In accordance to the new laws by PDPC, NTUC would need to implement the changes
to the unique identifier of NTUC’s customers/members within 12 months as NTUC
is currently using only NRIC as a unique identifier for NTUC’s membership.
Although NRIC is the best form of unique identification of individuals, these
do have its risks of exposing information relating to the individual.
Therefore, there is a need for a more concerted effort between departments to
address the new PDPA’s guidelines. This essay will specifically examine how
NTUC has made the necessary changes in response to the new laws, it will then
analyze the effectiveness on how NTUC has managed to address the impact on
their staffs and customers, and offer a plausible solution as an additional
measure to complement these laws.
In individuals’ personal data by organizations. Organizations that
In Singapore, the