SINGAPORE: Private organisations have until Dec 31, 2026 to phase out the use of NRIC numbers for authentication, said the Personal Data Protection Commission (PDPC) on Monday (Feb 2).
Enforcement action against the misuse of NRIC numbers will be ramped up after that, PDPC added, as it moves to reduce the risk of unauthorised access to services and information.
In June 2025, PDPC and the Cyber Security Agency (CSA) issued a joint advisory to private sector organisations clarifying that NRIC numbers should not be misused as an identity verification method.
"Organisations that use NRIC numbers for authentication to access personal data may be found to have breached the Personal Data Protection Act (PDPA) for failing to make reasonable security arrangements to protect personal data," said PDPC.
"From Jan 1, 2027, the PDPC will step up enforcement action against such misuse, including imposing directions or financial penalties for such breaches where appropriate.
Examples of misuse include using NRIC numbers - in full or part - as default passwords. This includes cases where the passwords are NRIC numbers on their own or together with other easily obtainable personal data, such as names and birthdates.
“Government agencies have already moved away from using NRIC numbers for authentication, to reduce the risk of unauthorised access to services and information,” PDPC said.
The Infocomm Media Development Authority, Monetary Authority of Singapore and the Ministry of Health have also issued guidance to the telecommunications, finance and insurance, and healthcare sectors on stopping the use of NRIC numbers for authentication.
Last January, Minister for Digital Development and Information Josephine Teo said in a ministerial statement that private sector organisations that were using NRIC numbers as authentication factors or default passwords should stop the practice as soon as possible.
She said at the time that those organisations which collect partial NRIC numbers to identify people can continue to do so, and that the ministry would only consider how the guidelines on NRIC number usage in the private sector should be updated after consulting the public.
It came after public backlash in December 2024 when the new Bizfile portal was launched by the Accounting and Corporate Regulatory Authority (ACRA), which published people’s full NRIC numbers and names for free in its search results.
Continue reading...
Enforcement action against the misuse of NRIC numbers will be ramped up after that, PDPC added, as it moves to reduce the risk of unauthorised access to services and information.
In June 2025, PDPC and the Cyber Security Agency (CSA) issued a joint advisory to private sector organisations clarifying that NRIC numbers should not be misused as an identity verification method.
"Organisations that use NRIC numbers for authentication to access personal data may be found to have breached the Personal Data Protection Act (PDPA) for failing to make reasonable security arrangements to protect personal data," said PDPC.
"From Jan 1, 2027, the PDPC will step up enforcement action against such misuse, including imposing directions or financial penalties for such breaches where appropriate.
Examples of misuse include using NRIC numbers - in full or part - as default passwords. This includes cases where the passwords are NRIC numbers on their own or together with other easily obtainable personal data, such as names and birthdates.
“Government agencies have already moved away from using NRIC numbers for authentication, to reduce the risk of unauthorised access to services and information,” PDPC said.
The Infocomm Media Development Authority, Monetary Authority of Singapore and the Ministry of Health have also issued guidance to the telecommunications, finance and insurance, and healthcare sectors on stopping the use of NRIC numbers for authentication.
Last January, Minister for Digital Development and Information Josephine Teo said in a ministerial statement that private sector organisations that were using NRIC numbers as authentication factors or default passwords should stop the practice as soon as possible.
She said at the time that those organisations which collect partial NRIC numbers to identify people can continue to do so, and that the ministry would only consider how the guidelines on NRIC number usage in the private sector should be updated after consulting the public.
It came after public backlash in December 2024 when the new Bizfile portal was launched by the Accounting and Corporate Regulatory Authority (ACRA), which published people’s full NRIC numbers and names for free in its search results.
Continue reading...