Connect with us

Opinion

Misleading remarks on NRIC protection by former NMP undermine public understanding of the PDPA

Prof Eugene Tan’s claim that the government’s stance on NRIC masking aligns with the PDPA misrepresents its framework. Past PDPC actions, such as the S$30,000 fine on the Singapore Taekwondo Federation for exposing NRICs, highlight the law’s strict standards on safeguarding personal data.

Published

on

The recent remarks by Singapore Management University Associate Professor of Law Eugene Tan, as reported by The Straits Times, regarding the government’s stance on the unmasking of National Registration Identity Card (NRIC) numbers, deserve scrutiny.

The former Nominated Member of Parliament stated that the government’s position, as in its 14 December statement, is consistent with the Personal Data Protection Act (PDPA) but “at odds with the public’s understanding and comfort level” on the use of NRIC numbers.

While Prof Tan suggested that a public education campaign could “re-socialise” attitudes towards revealing full NRIC numbers, his comments misrepresent the legal framework established by the PDPA and overlook significant precedents where individuals and entities have been penalised for exposing NRIC data to the public.

Misalignment with past PDPC enforcement actions

The Ministry of Digital Development and Information (MDDI) announced early Saturday (14 December) that it intends to change the practice of masking NRIC numbers, after privacy concerns were raised over the new Bizfile portal.

The portal, launched by the Accounting and Corporate Regulatory Authority (ACRA) on 9 December, allowed individuals’ full NRIC numbers to be accessed for free in search results, prompting significant public anxiety after former ST editor Bertha Henson highlighted the issue on her Facebook page.

MDDI acknowledged lapses in coordination. “We acknowledge that coordination could have been better so that ACRA’s move would not have run ahead of the government’s intent,” the ministry said in a statement, adding that unmasking NRIC numbers was meant to follow a public education campaign.

ACRA, in its own statement, admitted its premature rollout of the feature. “We recognise that we moved ahead with unmasking before adequately preparing the ground,” it stated.

Both agencies apologised for the anxiety caused, with ACRA pledging to refine the portal’s features to balance corporate transparency with privacy concerns.

However, the suggestion by Prof Tan that the government’s stance on NRIC numbers aligns with the PDPA disregards previous enforcement actions by the Personal Data Protection Commission (PDPC), which treated NRIC data as highly sensitive.

One striking example, among many to date, is the case of the Singapore Taekwondo Federation (STF), which was fined S$30,000 in 2018 for exposing NRIC numbers under Section 24 of the PDPA.

This section mandates organisations to protect personal data by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, or disposal.

The PDPC’s findings were unequivocal: “Given the risks and potential impact of any unauthorised use or disclosure of personal data associated with the individual’s NRIC number, organisations are expected to provide a greater level of security to protect NRIC numbers…”

In this case, STF had uploaded PDFs containing participant names and schools.

Although the NRIC numbers were minimised, they could be extracted by copying the PDF content into another document. This led to the exposure of 782 students’ NRIC data, most of whom were minors, and significant penalties for STF.

Prof Tan’s claim that the government’s recent stance is consistent with the PDPA is misleading when viewed against this backdrop, especially as this took place before the heightened measures introduced in September 2019.

The PDPA explicitly requires organisations to implement heightened safeguards for NRIC numbers, reflecting the risks of identity theft, fraud, and harassment.

In its now-removed guidelines, introduced in 2018 and effective from 1 September 2019, the PDPC wrote: “As the NRIC number is a permanent and irreplaceable identifier which can potentially be used to unlock large amounts of information relating to the individual, the collection, use, and disclosure of an individual’s NRIC number is of special concern. Indiscriminate or negligent handling of NRIC numbers increases the risk of unintended disclosure, with the result that NRIC numbers may be obtained and used for illegal activities such as identity theft and fraud.”

It further noted: “The Protection Obligation requires organisations to make reasonable security arrangements to protect personal data in its possession or under its control. The sensitivity and potential adverse impact to the individual of any unauthorised use or disclosure of his or her NRIC number must be taken into consideration in determining whether an organisation’s collection, use, or disclosure of NRIC numbers meets the requisite standard of reasonableness.”

“Given the risks and potential impact of any unauthorised use or disclosure of personal data associated with the individual’s NRIC number, organisations are expected to provide a greater level of security to protect NRIC numbers (or copies of NRIC) in the possession or under the control of the organisations.”

Governance at a whim?

Despite past precedents, MDDI’s announcement that it intends to change the rules on NRIC masking raises serious questions about governance and accountability.

Amendments to the PDPA reflecting this new stance have not been debated in Parliament, nor has there been any public consultation on such a significant shift.

While provisions in the Act allow the Commission to issue written advisory guidelines indicating how it will interpret the provisions of the Act, if MDDI can simply declare an intention to alter regulations without due process, it begs the question: are data protection laws and safeguards subject to change at the whim of the ministry?

Such an approach undermines public trust in the consistency and fairness of governance, particularly in matters as critical as personal data protection. For changes of this magnitude, transparency, public engagement, and proper legislative procedure must be the standard—not an afterthought or a belated effort to cover up a mistake.

The reality: ACRA is exempt from the PDPA

What may be accurate in Prof Tan’s statement is that the government’s position aligns with ACRA’s exemption from the PDPA.

As a statutory board, ACRA is not subject to the same regulations that govern private organisations or non-profits. This means that even if ACRA violates the PDPA’s principles, no penalties or enforcement actions will apply.

However, presenting this exemption as evidence of alignment with the PDPA overlooks the significant accountability gap it creates.

Private organisations like STF face strict penalties for exposing NRIC numbers, while statutory boards like ACRA can bypass these regulations entirely, despite the identical risks to public privacy and security.

Irresponsible reporting by the national press

It is deeply concerning that The Straits Times published such misleading remarks without correcting or contextualising them in its report.

The national press has a responsibility to inform the public accurately, particularly on issues of significant public interest like data privacy and the use of NRIC numbers.

The failure to address the inconsistencies between Prof Tan’s remarks and the PDPA’s established enforcement history risks misinforming the public.

It also highlights the limits of Singapore’s POFMA (Protection from Online Falsehoods and Manipulation Act), which appears inapplicable in cases where the national press and individuals toe the government’s line while spouting inaccurate statements.

32 Comments
Subscribe
Notify of
32 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments

Trending