Connect with us

Opinion

Why has MDDI reversed its position on NRIC numbers as sensitive data?

Ministry of Digital Development and Information claims NRICs are “just identifiers,” reversing the PDPC’s 2018 stance that recognised NRIC numbers as sensitive due to risks like fraud and harassment. Cases like SingPass lockouts and scams using NRICs highlight ongoing vulnerabilities, making the policy shift questionable.

Published

on

In light of the public outcry over individuals’ NRIC numbers being publicly accessible via ACRA’s new Bizfile website, the Ministry of Digital Development and Information (MDDI) argued that National Registration Identity Card (NRIC) numbers are “just identifiers” and should not be treated as private data.

This stance marks a significant shift from the position Singapore’s government took in 2018, when new rules under the Personal Data Protection Act (PDPA) were introduced to restrict the collection, use, and disclosure of NRIC numbers.

The 2018 position: NRICs are sensitive

In August 2018, the Personal Data Protection Commission (PDPC), which operates under MDDI, announced stricter regulations for handling NRIC numbers, which came into effect on 1 September 2019.

These rules explicitly recognised the sensitivity of NRIC numbers due to their potential for misuse and the adverse impact on individuals if disclosed without authorisation.

The PDPC wrote at the time: “The sensitivity and potential adverse impact to the individual of any unauthorised use or disclosure of his or her NRIC number must be taken into consideration… Organisations are expected to provide a greater level of security to protect NRIC numbers…”

This framework acknowledged the risks associated with NRIC misuse, such as identity theft, fraud, and harassment. Organisations were required to implement “reasonable security arrangements” to protect NRIC numbers and ensure their collection, use, or disclosure was necessary and justified.

So why, just a few years later, is MDDI now asserting that NRIC numbers are not sensitive and that there should be no hesitation in sharing them?

The contradiction in MDDI’s new stance

MDDI’s argument is that NRIC numbers are akin to names—unique identifiers that are not inherently private.

The ministry reasons that masking NRIC numbers provides a “false sense of security” and that the real problem lies in their misuse for authentication rather than their disclosure.

However, this stance contradicts the principles outlined by the PDPC in 2018. The earlier position explicitly recognised the sensitivity of NRIC numbers and mandated heightened security measures to protect them.

This reversal is particularly puzzling given the continued risks, such as scammers using NRIC numbers to impersonate authorities and harass individuals or malicious actors exploiting NRICs to block SingPass accounts.

Real-world risks of NRIC misuse

The risks associated with unauthorised access to NRIC numbers are not hypothetical.

In 2019, former presidential candidate Tan Kin Lian faced harassment when an unknown individual repeatedly used his published NRIC number to attempt to log into his SingPass account.

After six failed attempts, the system automatically locked his account, forcing Mr Tan to reset his password.

As Mr Tan pointed out, “All it needs is for someone to have the NRIC number and make six attempts to get the SingPass account blocked.”  This loophole highlights the practical vulnerabilities created when NRIC numbers are so widely used as identifiers.

While SingPass offers the option to change one’s ID, many users—particularly seniors—continue to use their NRIC as the default ID, leaving them vulnerable to such harassment.

Scams targeting seniors further underscore this danger. Fraudsters armed with NRIC numbers can easily pose as government officials, gain victims’ trust, and trick them into revealing sensitive information.

In a report by The Straits Times, a housewife shared how she began checking the portal after a scammer, posing as an Interpol officer, called her mother and read out her address and NRIC number.

Believing the caller to be legitimate due to the accuracy of the information, her mother almost provided her bank details. However, Tan intervened in time. She also discovered the names and NRIC numbers of her friends through the portal.

Given these examples, the 2018 position—that NRIC numbers require heightened protection due to their potential misuse—remains highly relevant today.

What has changed?

MDDI’s new stance seems to disregard the very concerns that prompted the PDPA’s stricter rules in 2018. The ministry has not provided a clear explanation for this shift.

If NRIC numbers were deemed sensitive just five years ago, why are they now considered benign? What data, policy changes, or new safeguards justify this reversal?

Has the risk of unauthorised use or disclosure decreased, or has the government decided that the potential harms are now acceptable?

Until these questions are addressed, MDDI’s position will remain difficult to reconcile with the PDPA’s earlier acknowledgment of the dangers associated with NRIC misuse.

The public deserves clarity on why such a fundamental shift in policy has occurred—and how the government plans to mitigate the ongoing risks.

Without a detailed explanation, the change appears inconsistent and undermines confidence in how the government assesses and manages personal data risks.

16 Comments
Subscribe
Notify of
16 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments

Trending