Opinion
Why has MDDI reversed its position on NRIC numbers as sensitive data?
Ministry of Digital Development and Information claims NRICs are “just identifiers,” reversing the PDPC’s 2018 stance that recognised NRIC numbers as sensitive due to risks like fraud and harassment. Cases like SingPass lockouts and scams using NRICs highlight ongoing vulnerabilities, making the policy shift questionable.
In light of the public outcry over individuals’ NRIC numbers being publicly accessible via ACRA’s new Bizfile website, the Ministry of Digital Development and Information (MDDI) argued that National Registration Identity Card (NRIC) numbers are “just identifiers” and should not be treated as private data.
This stance marks a significant shift from the position Singapore’s government took in 2018, when new rules under the Personal Data Protection Act (PDPA) were introduced to restrict the collection, use, and disclosure of NRIC numbers.
The 2018 position: NRICs are sensitive
In August 2018, the Personal Data Protection Commission (PDPC), which operates under MDDI, announced stricter regulations for handling NRIC numbers, which came into effect on 1 September 2019.
These rules explicitly recognised the sensitivity of NRIC numbers due to their potential for misuse and the adverse impact on individuals if disclosed without authorisation.
The PDPC wrote at the time: “The sensitivity and potential adverse impact to the individual of any unauthorised use or disclosure of his or her NRIC number must be taken into consideration… Organisations are expected to provide a greater level of security to protect NRIC numbers…”
This framework acknowledged the risks associated with NRIC misuse, such as identity theft, fraud, and harassment. Organisations were required to implement “reasonable security arrangements” to protect NRIC numbers and ensure their collection, use, or disclosure was necessary and justified.
So why, just a few years later, is MDDI now asserting that NRIC numbers are not sensitive and that there should be no hesitation in sharing them?
The contradiction in MDDI’s new stance
MDDI’s argument is that NRIC numbers are akin to names—unique identifiers that are not inherently private.
The ministry reasons that masking NRIC numbers provides a “false sense of security” and that the real problem lies in their misuse for authentication rather than their disclosure.
However, this stance contradicts the principles outlined by the PDPC in 2018. The earlier position explicitly recognised the sensitivity of NRIC numbers and mandated heightened security measures to protect them.
This reversal is particularly puzzling given the continued risks, such as scammers using NRIC numbers to impersonate authorities and harass individuals or malicious actors exploiting NRICs to block SingPass accounts.
Real-world risks of NRIC misuse
The risks associated with unauthorised access to NRIC numbers are not hypothetical.
In 2019, former presidential candidate Tan Kin Lian faced harassment when an unknown individual repeatedly used his published NRIC number to attempt to log into his SingPass account.
After six failed attempts, the system automatically locked his account, forcing Mr Tan to reset his password.
As Mr Tan pointed out, “All it needs is for someone to have the NRIC number and make six attempts to get the SingPass account blocked.” This loophole highlights the practical vulnerabilities created when NRIC numbers are so widely used as identifiers.
While SingPass offers the option to change one’s ID, many users—particularly seniors—continue to use their NRIC as the default ID, leaving them vulnerable to such harassment.
Scams targeting seniors further underscore this danger. Fraudsters armed with NRIC numbers can easily pose as government officials, gain victims’ trust, and trick them into revealing sensitive information.
In a report by The Straits Times, a housewife shared how she began checking the portal after a scammer, posing as an Interpol officer, called her mother and read out her address and NRIC number.
Believing the caller to be legitimate due to the accuracy of the information, her mother almost provided her bank details. However, Tan intervened in time. She also discovered the names and NRIC numbers of her friends through the portal.
Given these examples, the 2018 position—that NRIC numbers require heightened protection due to their potential misuse—remains highly relevant today.
What has changed?
MDDI’s new stance seems to disregard the very concerns that prompted the PDPA’s stricter rules in 2018. The ministry has not provided a clear explanation for this shift.
If NRIC numbers were deemed sensitive just five years ago, why are they now considered benign? What data, policy changes, or new safeguards justify this reversal?
Has the risk of unauthorised use or disclosure decreased, or has the government decided that the potential harms are now acceptable?
Until these questions are addressed, MDDI’s position will remain difficult to reconcile with the PDPA’s earlier acknowledgment of the dangers associated with NRIC misuse.
The public deserves clarity on why such a fundamental shift in policy has occurred—and how the government plans to mitigate the ongoing risks.
Without a detailed explanation, the change appears inconsistent and undermines confidence in how the government assesses and manages personal data risks.
-
Singapore2 weeks ago
Ministers silent on legal proceedings as Bloomberg and TOC refuse demands
-
Politics1 week ago
Progress Singapore Party accuses PAP supporters of harassment during Choa Chu Kang walkabout
-
Politics1 week ago
Progress Singapore Party volunteer files police report alleging harassment during walkabout
-
International2 weeks ago
Palestinian Authority suspends Al Jazeera operations in West Bank
-
Opinion1 week ago
Holes in Low Yen Ling’s allegations against PSP: No evidence provided from her volunteers
-
Singapore4 days ago
SM Lee Hsien Loong defends CECA, calls for integration and openness amidst political sensitivities
-
Politics1 week ago
Low Yen Ling accuses PSP of “twisting the truth” over alleged harassment in Choa Chu Kang GRC
-
Comments1 day ago
Netizens criticise K Shanmugam for sharing video on alleged Bukit Gombak harassment incident