NRIC shouldn’t be used as an identifier for authentication or passwords, says PDPC

The Personal Data Protection Commission (PDPC) has issued a statement clarifying the appropriate use of National Registration Identity Card (NRIC) numbers, following the public outcry over the unmasking of NRIC numbers on the Accounting and Corporate Regulatory Authority’s (ACRA) Bizfile platform. In its statement on Saturday (14 Dec), the PDPC underscored that NRIC numbers should neither be used by individuals as passwords nor by organisations to authenticate identity or set default passwords. “The NRIC number should not be used as a password, just as our names are not used as passwords,” the PDPC said. It urged individuals currently using their NRIC numbers as passwords to change them immediately, offering guidance on how to create more secure credentials. The PDPC added that NRIC numbers are not secret and are unsuitable for authentication purposes. “A person’s name and NRIC number identifies who the person is. Authentication is about proving you are who you claim to be. This requires proof of identity, for example, through a password, a security token or biometric data,” the statement explained. Organisations relying on NRIC numbers for authentication or as default passwords were advised to phase out these practices. “The NRIC number should also not be used as the default password for services provided to an individual. Organisations that have such practices should phase them out as soon as possible,” the PDPC emphasised. Despite the PDPC’s guidance against using NRIC numbers for authentication, it is notable that SingPass, Singapore’s government authentication service, uses NRIC numbers as the default login ID for users. While SingPass allows users to change their login ID, many, especially seniors and less tech-savvy individuals, continue to use their NRIC numbers out of familiarity. The commission also reminded organisations that NRIC numbers remain personal identifiers subject to the data protection obligations outlined in the Personal Data Protection Act (PDPA). “Like any personal identifier, the NRIC number is still subject to the data protection obligations in the PDPA. Therefore, organisations collecting NRIC data must still obtain valid consent, comply with reasonable use, and ensure protection,” the PDPC said, stressing its history of enforcing these requirements.

Response to Public Concerns

The PDPC’s statement comes in the wake of heightened public scrutiny following ACRA’s Bizfile platform launch on 9 December 2024, which allowed full NRIC numbers to be accessed for free. The incident, brought to light by former Straits Times editor Bertha Henson in a viral Facebook post, sparked privacy concerns and prompted calls for accountability. On 13 December, the Ministry of Digital Development and Information (MDDI) issued a statement acknowledging lapses in coordination and apologising for the incident. “We acknowledge that coordination could have been better so that ACRA’s move would not have run ahead of the government’s intent,” the MDDI said, adding that unmasking NRIC numbers was part of a broader policy to phase out masking practices, which the ministry argued provided a “false sense of security.”

Removal of Advisory Guidelines

“We have received questions and feedback from the public following yesterday’s statements by MDDI on the appropriate use and misuse of NRIC numbers,” the PDPC said. Acknowledging public confusion, the PDPC apologised and confirmed plans to update the guidelines to reflect the government’s new policy direction. “We recognise that the PDPC advisory guidelines for NRIC and National Identification Numbers need to be updated to align with the statement. We will not be making any further changes until we have completed our consultations with industry and members of the public,” the commission said. While the PDPC stated that the Advisory Guidelines on NRIC and Other National Identification Numbers, introduced in 2018, are under review, it did not acknowledge their removal from its website following the public outcry or explain why they were taken down despite no revisions having been completed at this time. The advisory was subsequently put back online on 14 December with comments.

Inconsistency of position on NRIC

The controversy has reignited debate over Singapore’s data privacy policies, with critics pointing to past PDPC enforcement actions as evidence of inconsistency. In one of many examples, the PDPC fined the Singapore Taekwondo Federation S$30,000 in 2018 for exposing minors’ NRIC numbers in a competition-related document. This enforcement occurred before the stricter regulations introduced in September 2019, which heightened the standards for protecting NRIC numbers. At the time, the PDPC described NRIC numbers as sensitive data requiring heightened protection due to the risks of identity theft and fraud. In August 2018, the PDPC introduced stricter guidelines, stating: “As the NRIC number is a permanent and irreplaceable identifier which can potentially be used to unlock large amounts of information relating to the individual, the collection, use, and disclosure of an individual’s NRIC number is of special concern. Indiscriminate or negligent handling of NRIC numbers increases the risk of unintended disclosure, with the result that NRIC numbers may be obtained and used for illegal activities such as identity theft and fraud.” As the government works to reconcile its policy direction with public expectations, the PDPC has pledged to clarify its guidelines and engage with stakeholders. “We will fully address the public’s concerns and questions as soon as possible,” the commission assured.