新加坡个人信息保护新规：机构索取身份证号码需征求同意

We will take these considerations on board when updating the guidelines. In any case, I would like to assure Members like Ms Jean See and Mr Ong Hua Han that the Personal Data Protection Commission will support businesses in changing their authentication methods. This will include raising their awareness on why the use of NRIC numbers as a factor of authentication is unsafe and working through the Infocomm Media Development Authority and the Cyber Security Agency's programmes to help businesses review and adjust their practices.

To questions by Ms Tin Pei Ling, Mr Zhulkarnain Abdul Rahim and Assoc Prof Jamus Lim, I should emphasise that NRIC numbers are personal data. This means that organisations collecting and using NRIC numbers must continue to exercise a duty of care. Subject to applicable law, they must notify and seek consent on use, and also ensure the data is sufficiently protected. Certainly, they should not disclose the NRIC numbers unless there is good reason to do so.

Members may also ask, if the NRIC number is not suitable as an authenticator, what about the physical NRIC card, our pink identity card? If we look at our physical NRIC card, we will see that it contains other identifying information, such as our photo and fingerprint. It allows others to check that the information on the card matches me, the person holding the card. In addition, the physical NRIC card is not easily faked. The physical NRIC card is, therefore, suitable as an authenticator, or proof of who I claim to be. But someone providing my NRIC number and claiming to be me, does not have these additional factors of proof.

Organisations must know that the physical NRIC card and NRIC number are different. The physical NRIC card can be an authenticator, but the NRIC number should not be used as an authenticator. Organisations should, therefore, not accept my NRIC number alone as proof that the person citing it is indeed me.

Besides organisations, individuals, too, have questions about what they should do. There are also two things. The first is to clarify their understanding of the NRIC number. Members like Ms Sylvia Lim asked about this.

We have said that our NRIC number is like our name. Even if it is not widely disclosed, it is not secret. In our daily lives, if someone we do not recognise calls out our name and starts to behave as though they know us well, we would be slightly suspicious. We might be polite but not too friendly. Certainly, we should not fully trust this person, just because they know our name.

This should also be how we treat anyone who tells us our NRIC number. We should not automatically assume that they know us well or are figures of authority or can be trusted. We should be cautious about revealing more about ourselves, or saying yes to their requests or following their instructions without checking further.

未完待续,请点击[下一页]继续阅读