SM Teo: Officers to face measures over mass disclosure of NRIC numbers on government portal

SINGAPORE: Officers and senior management involved in the missteps that led to the mass disclosure of NRIC numbers on a government business portal will face a range of measures, including counselling, retraining, and reductions in their performance grade and performance-based payments, Senior Minister Teo Chee Hean told Parliament on 6 March.

This follows a review panel’s investigation into the incident on 9 December 2024, which found lapses in processes and communication between the Accounting and Corporate Regulatory Authority (Acra) and the Ministry of Digital Development and Information (MDDI).

Delivering a ministerial statement, Teo stated that while the review found no malicious or wilful wrongdoing by the officers, there were “inadequacies in their judgment and actions.”

Key lapses identified

The review panel, in its report released on 3 March, identified six instances where agencies could have handled the situation better.

One major issue was unclear policy communication from MDDI regarding the Government’s plans to phase out NRIC numbers for authentication.

The lack of clarity contributed to the unintended disclosure of full NRIC numbers on Acra’s Bizfile portal.

The officers facing corrective measures include those directly responsible for the lapses, as well as senior management who provided oversight.

The review panel submitted its findings on 25 February to SM Teo, who is also Minister-in-charge of Public Sector Data Governance.

He accepted the findings and reported them to Prime Minister Lawrence Wong the following day.

Accountability at senior levels

Addressing accountability, Teo emphasised that political office holders overseeing Acra and Smart Nation efforts at MDDI bear overall responsibility for their organisations.

He stated that Digital Development Minister Josephine Teo and Minister in the Prime Minister’s Office and Second Minister for Finance Indranee Rajah have publicly accepted responsibility and apologised for the incident.

He further noted that the Permanent Secretaries of the Smart Nation and Digital Government Office, now under MDDI, were responsible for implementing the policy, while Acra’s chief executive, Chia-Tern Huey Min, was in charge of the design and implementation of the new Bizfile portal.

Teo clarified that the review was not a disciplinary process and that any disciplinary action, if warranted, would be handled by the respective public agencies.

Upholding public trust

Teo stressed that the Public Service holds its officers to a high standard of conduct. “Singaporeans deserve this,” he said, acknowledging that mistakes may occur given the complexity of public services.

He added that while misconduct would be dealt with severely, this incident underscored the Government’s commitment to continuous improvement.

The review panel, led by Head of Civil Service Leo Yip, also criticised security lapses at Acra that violated internal data management rules, as well as inadequate public communication by the agencies involved.

The panel stated that the agencies should have provided clear information on the incident more promptly.

By disclosing full NRIC numbers, Acra was found to have breached the Government’s internal code, known as IM8, which regulates public agencies’ use and disclosure of citizens’ data.

The IM8 guidelines are aligned with the Personal Data Protection Act but adapted for the public sector.

Currently, existing laws do not impose financial penalties on public agencies that breach IM8 rules.

However, SM Teo stated that responsible officers will face other corrective measures, including retraining and impacts on their performance assessments.

He reaffirmed the need for transparency and trust in public service. “This recent incident, while regrettable, demonstrates the Government’s commitment to continuous improvement, to uphold the trust Singaporeans have placed in us,” he said.

How the lapse occurred

The issue arose due to a misunderstanding of an internal policy directive issued by MDDI in July 2024.

The directive aimed to phase out the use of masked NRIC numbers in government systems but was meant to apply only to internal processes.

However, ACRA mistakenly applied it to its public-facing Bizfile portal.

Email exchanges between ACRA and MDDI failed to clarify this distinction.

ACRA interpreted the directive as requiring full NRIC numbers to be displayed publicly, while MDDI, using the term “unmasking” as shorthand for discontinuing the use of masked numbers, did not realise that ACRA had misunderstood its intent.

As a result, when ACRA launched its new Bizfile portal on 9 December 2024, the People Search function displayed full NRIC numbers.

This sparked a public outcry, especially after former journalist Bertha Henson highlighted the issue on 12 December. The search function was disabled the next evening.

In December last year, a week after the issue surfaced, Minister Josephine Teo and ACRA Chief Executive Chia-Tern Huey Min addressed the matter at a press conference on 19 December 2024, expressing regret over the mistake.

Teo stated: “First, I would like to acknowledge the public’s concerns, which we take very seriously. We are deeply sorry for causing them anxiety.”

Following the release of the report, the Ministry of Finance (MOF) and ACRA issued a joint statement on 3 March 2025, accepting the review panel’s findings and outlining steps to prevent similar incidents.