4 weeks ago
43
SINGAPORE: Private sector organisations that are using National Registration Identity Card (NRIC) numbers as authentication factors or default passwords should stop this practice as soon as possible, Minister for Digital Development and Information Josephine Teo said on Wednesday (Jan 8).
Speaking during a ministerial statement addressing 51 questions filed by Members of Parliament (MPs) on the issue that emerged in December 2024, Mrs Teo also said that private sector organisations that now collect partial NRIC numbers to identify people can continue to do so.
“The guidelines for the private sector have not yet changed and we will only consider how they should be updated after consulting the public,” she added.
In December, privacy concerns were raised over ACRA's new Bizfile portal, which showed names and full NRIC numbers for free via its search function.
On Dec 14, the government said it intended to change the practice of masking NRIC numbers, but the new Bizfile portal was launched before the plans were announced to the public.
Days later, the government apologised to the public for the anxiety caused over the NRIC unmasking saga, while ACRA’s chief executive said the incident was due to a lapse in coordination.
Mrs Teo apologised again in parliament on Wednesday for the mistake that caused “much anxiety” to the public, stressing that the government takes the concerns that emerged seriously.
"It was not our intention to make the full NRIC number widely disclosed, and we are not heading in that direction," she added.
NRIC numbers are personal data, and can only be collected when there is a need to do so, she stressed.
“This means that organisations collecting and using NRIC numbers must continue to exercise a duty of care,” she added.
Laws indicate that organisations must notify and seek consent on the use of NRIC numbers, and ensure that the data is protected, said Mrs Teo, adding that these are existing guidelines that will not change.
Organisations should also not disclose the NRIC numbers unless there are “good reasons” to do so, she added.
There are some “incorrect uses” of the NRIC number today and the government planned to stop these while the problem is “relatively contained”, said Mrs Teo.
“Doing so will better protect everyone and allow us to use NRIC numbers with confidence,” she added.
Individuals who have used their NRIC number as a password should change it immediately, said Mrs Teo.
This will give them better protection against those who use NRIC numbers to get access to information or services, she added.
An NRIC number is like an individual's name – even if not widely disclosed, it is not a secret, said Mrs Teo.
"If someone we don't recognise calls out our names and starts to behave as though they know us well, we would be at least slightly suspicious," she added.
Individuals should not fully trust others just because they know their names, and this is how they should treat those who know their NRIC numbers.
"We should not automatically assume that they know us well or are figures of authority, or can be trusted. We should be cautious about revealing more about ourselves or saying yes to their requests, or following their instructions without checking further."
If individuals stop using NRIC numbers as passwords and organisations stop using NRIC numbers as authenticators, this will go "a long way" in preventing harms from scams and identity theft, said the minister.
This will then give individuals "better peace of mind" to use their NRIC numbers when necessary, such as when receiving medical treatment or applying for jobs, she added.
The Ministry of Digital Development and Information aims to start consultations with the private sector soon, and initial meetings suggest that there can be “different approaches”.
The government knew that it would take time for public agencies to make the change to masked NRIC numbers, and expected that it would take even longer for the private sector, said the minister.
The plan was to change internal government practices before moving on to the private sector and non-profit organisations, she said, adding that this would allow agencies to better understand the implementation challenges.
“We had also planned to mount a major effort to help Singaporeans be aware of the risks and to support efforts to stop incorrect practices,” said Mrs Teo.
“The Bizfile incident was an unfortunate misstep, which now means these plans need to be brought forward.”
.jpg?itok=HVcXoYme)
