Current Affairs
ACRA’s PDPA exemption makes it challenging to hold agency accountable for allowing public NRIC access
A recent glitch on ACRA’s new Bizfile portal allowed full NRIC numbers to be easily accessed, raising privacy concerns.
However, ACRA is exempt from the Personal Data Protection Act (PDPA), making it difficult to hold the agency accountable for the issue.
In 2012, Workers’ Party MP Chen Show Mao advocated for including public agencies under the PDPA, but then-Minister Yaacob Ibrahim defended the exclusion, citing existing data protection rules.
The recent glitch on the Accounting and Corporate Regulatory Authority (ACRA)’s new Bizfile portal, which allowed full NRIC numbers to be easily obtained, has raised significant privacy concerns.
However, ACRA is exempt from the Personal Data Protection Act (PDPA), a law governing the protection of personal data that applies only to private sector organisations, including businesses, non-profits, and associations.
As a result, ACRA may not be held accountable for issues related to public data access under PDPA.
In 2019, the Personal Data Protection Commission (PDPC) announced that organisations would be prohibited from collecting, using, or disclosing NRIC numbers.
This regulation, part of updated guidelines under the Personal Data Protection Act, aims to better protect Singaporeans’ personal data and carries a financial penalty of up to S$1 million.
Singaporeans can also refuse to disclose their full NRIC numbers, unless required by law or for precise identification.
Veteran Journalist Raises Alarm over Full NRIC Numbers on ACRA’s New Bizfile System
The issue was first raised by veteran journalist Bertha Henson in a Facebook post on Thursday (12 December), highlighting the ease with which full NRIC numbers could be obtained from ACRA’s new Bizfile portal.
By simply entering a person’s name in the “People Profile” section, it was possible to retrieve their full NRIC number—even for individuals with no connection to any business.
The new Bizfile portal went live on 9 December, replacing the previous BizFile+ system. Henson expressed concerns about potential glitches in the site, which she discovered after testing the portal’s search functionality.
On 17 October, ACRA had announced the launch of the new Bizfile portal, promising users seamless access to various eServices, including business registration, information updates, annual filings, and business data retrieval.
TOC also visited the Bizfile website to verify whether full NRIC numbers could still be accessed.
On Friday (13 December) morning, the site appeared to experience some technical issues, preventing searches. However, the functionality was briefly restored in the afternoon.
TOC found that searches for names resembling those of political figures, such as Transport Minister Chee Hong Tat, Education Minister Chan Chun Sing, and Manpower Minister Dr Tan See Leng, revealed their full NRIC numbers.
Additionally, for a fee of $33 per name, anyone could purchase the full profiles of these individuals, which included their business addresses, current appointments, and past roles.
In a separate report by The Straits Times, housewife Gina Tan shared that she began checking the portal after a scammer, posing as an Interpol officer, called her mother and read out her address and NRIC number.
Believing the caller to be legitimate due to the accuracy of the information, her mother almost provided her bank details, but Tan intervened in time. Tan also found the names and NRIC numbers of her friends through the portal.
ACRA Exempt from PDPA, Allowing Disclosure of Personal Data Under Its Functions
However, according to ACRA’s official website, the agency is exempt from the PDPA, as outlined in the ACRA Act, which permits the disclosure of personal data when discharging its functions.
ACRA has assured the public that it adheres to the Public Sector (Governance) Act and Government Instruction Manuals regarding data management.
These measures include procedures to prevent the disclosure of data beyond what is permitted by the ACRA Act.
“ACRA will continue to keep abreast of industry standards and strive to implement best practices where applicable, with respect to the way we manage personal data, “stated the agency.
In contrast, holders of personal data obtained through ACRA’s system or from authorised Information Service Providers (ISPs) are responsible for ensuring their compliance with the PDPA regarding the disclosure and use of personal data.
Anyone who misuses this information may face legal action or criminal prosecution.
In 2012, then-MP Chen Show Mao Criticized PDPA Exemption for Public Agencies, Advocating for Uniform Data Protection Standards
The issue of the PDPA exemption for public agencies has been raised in Parliament previously.
During the debate on the Personal Data Protection Bill in October 2012, Chen Show Mao, then-Member of Parliament for Aljunied GRC from the Workers’ Party (WP), criticised the exclusion of public agencies from the bill, arguing that public agencies, like private entities, should adhere to minimum levels of data protection.
He questioned the transparency of the government’s existing data protection rules and advocated for aligning Singapore’s framework with international standards, where both private and public sectors are covered.
Chen further argued that personal data is a form of personal property belonging to individuals, and thus, even the government must handle it responsibly.
Then-MCI Minister Yaacob Ibrahim Defends Public Agencies’ Exemption from PDPA
In response, Yaacob Ibrahim, the then Minister for Communications and Information, defended the exclusion of public agencies from the bill, stating that they are already governed by comprehensive data protection rules.
These rules, he explained, are based on the same principles as those in the bill.
“Statutory provisions in several Acts also regulate the collection, use and disclosure of information by the public sector, ” he said.
“These ensure that public agencies and officials are subject to responsibilities to maintain confidentiality and protection of personal data, while enabling them to carry out their statutory functions in an effective and accountable manner.”
Ibrahim assured that all government entities, including ministries, statutory boards, and organs of state, are required to comply with these internal data protection rules.
Mechanisms such as audits and investigations are in place to ensure compliance, and officers who breach data protection regulations may face disciplinary action under the Public Service Disciplinary Regulations.
“I understand that individuals may also request Government agencies to correct inaccurate personal information held by the agencies. ”
“I would also like to reiterate that personal data held by Government agencies are protected by appropriate security safeguards against accidental or unlawful loss, as well as unauthorised access, use or disclosure. This is regardless of the format in which the personal data is kept.”
-
Politics22 hours ago
Tan See Leng and K Shanmugam threaten Bloomberg with legal action over GCB transaction report
-
Crime1 week ago
Singapore police did not arrest fugitive due to no request from China
-
Property5 days ago
Bloomberg: Nearly half of 2024 GCB transactions lack public record, raising transparency concerns
-
International7 days ago
Israel conducts large-scale military operations in Syria and seizes Golan Heights positions
-
Community2 weeks ago
Jalan Besar residents question MP Josephine Teo on Gaza and border policies
-
Community5 days ago
Hougang knife attack: Dispute over medical claim reportedly leads to mother of three’s death
-
Politics7 days ago
Parties may not display face of individuals other than party leader: ELD
-
Opinion23 hours ago
Ho Ching defends NRIC as “digital name,” calls for practical policies over secrecy