1 month ago
49
SINGAPORE: There was no "deliberate wrongdoing or wilful inaction" by government officers involved in the events leading to full National Registration Identity Card (NRIC) numbers being displayed on a business portal last December.
A report by the review panel set up to look into the incident said on Monday (Mar 3) that it was a "confluence of several shortcomings" that resulted in NRIC numbers being unmasked on the Accounting and Corporate Regulatory Authority's (ACRA) Bizfile portal.
The panel, chaired by the head of civil service Leo Yip, was asked to review the government's policy on responsible use of NRIC numbers, determine what led to the Bizfile incident and identify learning points to avoid similar incidents in future.
"While the panel did not find any factual evidence of deliberate wrongdoing or wilful inaction by the (Ministry of Digital Development and Information) and ACRA officers involved in this incident, it found several shortcomings by both ACRA and MDDI in this incident, which should have been avoided," the Prime Minister's Office said in a press release.
The panel submitted its report to Senior Minister and Minister-in-charge of the Smart Nation Group Teo Chee Hean on Feb 25. Prime Minister Lawrence Wong approved the report for public release on Feb 27. Mr Teo will deliver a ministerial statement on the report on Mar 6 in parliament.
ACRA, its parent ministry the Ministry of Finance, and MDDI accepted the panel's findings and laid out the steps being taken to address the shortcomings.
Last December, there was a public outcry over privacy concerns when queries made on ACRA's Bizfile portal produced full NRIC numbers for free in search results.
ACRA chief executive Chia-Tern Huey Min said a "lapse of coordination" and a misunderstanding led to the NRIC numbers being unmasked.
TIMELINE OF EVENTS
In August 2022, the former Smart Nation and Digital Government Office (SNDGO), which is now part of MDDI, began reviewing the policy on the use of NRIC numbers.
The intention was to stop the incorrect use of NRIC numbers for authentication and to move away from the use of partial NRIC numbers.
SNDGO issued a circular to government agencies in September 2023 addressing the first issue – the incorrect use of NRIC numbers for authentication. NRIC numbers are meant to identify people, rather than prove that they are who they claim to be.
Separate from the SNDGO's review, ACRA in early 2024 proposed that it start providing partial NRIC numbers instead of full NRIC numbers when users purchase a People Profile on the Bizfile portal.
SNDGO informed ACRA of plans to move away from using partial NRIC numbers, and ACRA decided not to make the change.
However, ACRA already misunderstood SNDGO's intentions at this stage. It believed that the long term intent was for public agencies to "unmask" NRIC numbers.
SNDGO did not correct ACRA or clarify that stopping the use of partial NRIC numbers was not equivalent to unmasking and using full NRIC numbers.
"This contributed to subsequent misunderstandings between ACRA and MDDI," the review panel said in its report.
In July 2024, MDDI issued a circular to communicate its plan to stop using partial NRIC numbers internally and to stop introducing new uses of partial NRIC numbers both internally and externally.
For existing external uses of masked NRIC numbers, MDDI planned to collect information on use cases before developing plans on how to stop them.
MDDI conducted a briefing on the circular 11 days later, and two officers from ACRA who were not involved in the development of the new Bizfile portal attended the session.
A video recording of the briefing and a document with frequently asked questions were emailed to data governance teams the next day, but were not appended to the initial circular and were not shared with ACRA senior leadership.
Within ACRA, there were discussions about the potential sensitivity of showing full NRIC numbers in its People Search function, but the agency was "heavily influenced" by its earlier exchange with SNDGO, where the term "unmask" was used.
It also referenced a line in the July circular stating that agencies must cease the planned use of masked NRIC numbers in new digital products. Although Bizfile is not new, ACRA considered the updated portal to be a new digital product.
In email exchanges, MDDI told ACRA it could continue to use masked NRIC numbers "for now" but be prepared for the "eventual unmasking". MDDI used "unmask" as shorthand for stopping the use of masked NRIC numbers.
ACRA misunderstood that to mean that masked NRIC numbers could be used on its old Bizfile portal, but the full number would need to be shown on its new portal as soon as possible.
"Both sides did not pick up that ACRA had misunderstood the (circular) because both sides did not engage each other in depth on what they meant in their emails, which might have clarified the misunderstanding," the report said.
As a result, when the new portal was launched on Dec 9 last year, full NRIC numbers were displayed in the search results of People Search.
Three days later, agencies began to receive media queries and feedback from members of the public. The search function was disabled late on Dec 13, and MDDI said NRIC numbers are not meant to be private, and that it intended to change the practice of masking NRIC numbers.
However, on Dec 19, ACRA's chief executive said the agency misunderstood MDDI and thought it should unmask NRIC numbers in the Bizfile portal.
The search function was revised and introduced on Dec 28, and NRIC numbers are no longer displayed in search results.
SIX SHORTCOMINGS FLAGGED
The report also highlighted six shortcomings by MDDI and ACRA.
- MDDI should have been more precise in its July 2024 circular to reduce misunderstandings. For example, it could have been clearer in explaining that stopping the use of partial NRIC numbers did not mean using the full number. Key clarifications could have been appended to the initial circular.
But the panel acknowledged MDDI's extensive briefing to ensure its circular was properly understood, and that ACRA was the only agency rolling out a new portal and misunderstood the circular "to the extent that it did".
- Information sharing within ACRA was insufficient, and contributed to the misunderstanding. Officers who attended the briefing or received the frequently asked questions document should have ensured that the information was disseminated as widely as the original circular, the panel said.
"As a result, ACRA continued to misinterpret the (circular), and had acted on incomplete information when it decided to disclose full NRIC numbers," the report said.
- MDDI should have paid more attention to its implementation plan for more complex cases when it told agencies to stop introducing new use cases of partial NRIC numbers.
More guidance could help agencies understand how to stop the use of partial NRIC numbers and decide whether full NRIC numbers were necessary.
- ACRA did not assess the proper balance between sharing full NRIC numbers and ensuring that they were not too readily accessible, contravening the government's internal rules on data management.
"As ACRA thought that the disclosure of full NRIC numbers was a central directive from MDDI, it had prioritised compliance over its internal concerns on displaying full NRIC numbers," said the report.
- Certain security features for the People Search function were not adequately implemented. A review by GovTech found that some security features including CAPTCHA functionality - which differentiates humans from bots - were not properly implemented.
That means data may have been retrieved by bots from Dec 9 to Dec 13, before the function was taken down.
- The response to public concerns could have been better. ACRA and MDDI should have acted more quickly to ascertain the key facts, and ACRA should have disabled its People Search function sooner.
Agencies should have placed greater emphasis on assessing whether the manner and extent to which NRIC numbers were being disclosed was appropriate, while clarifying the interpretations of the July circular.
Communication with the public could also be improved. "In hindsight, the Government should have made clear to the public at the outset that moving away from the use of partial NRIC numbers did not automatically mean using full NRIC numbers in every case, nor was it the Government’s intention to disclose full NRIC numbers on a large scale," the report said.
"Doing so would have helped to reassure the public that NRIC numbers remain personal data, which should only be collected, used or disclosed when there is a need to do so."
.png?itok=erLSagvf)
