SINGAPORE: Private organisations have until the end of 2026 to phase out the use of NRIC numbers for authentication, the Personal Data Protection Commission (PDPC) announced on Monday (Feb 2).
Authentication refers to the process of proving that a person is who they claim to be, before granting them access to services or information intended only for them. This differs from identification, where identifiers such as names are used to distinguish people.
The latest announcement came as the authorities move to reduce the risk of unauthorised access to services and information.
Here is what you need to know about the NRIC authentication ban:
In 2024, the Accounting and Corporate Regulatory Authority (ACRA) launched the then new Bizfile portal, sparking public backlash after it was found that people's full NRIC numbers and names could be obtained via the portal for free.
Under ACRA's previous system, users could search for people who were office holders or business owners in Singapore, with their names, as well as masked NRIC numbers, turning up in search results.
Users could then pay for the complete set of information about an individual, which would have included his or her full NRIC number as well as an address.
Following the backlash, the PDPC and Cyber Security Agency (CSA) issued a joint advisory last year to private sector organisations clarifying that NRIC numbers should not be misused for authentication.
Government agencies have already moved away from using NRIC numbers for authentication, said the PDPC on Monday.
According to PDPC's website, organisations are generally not allowed to collect, use or disclose an individual's NRIC number, unless it is required by law or if it is necessary to identify a customer to a high degree of accuracy.
Organisations should also not use NRIC numbers, whether full or partial, as any factor of authentication.
Examples of misuse for authentication include using NRIC numbers – in full or part – as default passwords. This includes cases where the passwords are NRIC numbers on their own or together with other easily obtainable personal data, such as names and birthdates.
This is because NRICs are "issued to uniquely identify a person and must be assumed to have been disclosed to at least a few other persons, which reduces their effectiveness as a factor of authentication", said PDPC on its website.
"When passwords are used to authenticate a person, strong passwords that are not easily guessed should be used. Passwords containing information that can be obtained easily, including personal data such as names, NRIC numbers or birthdates, are not strong passwords."
Any organisation that needs to collect or use NRIC numbers to identify a customer to a high degree of fidelity will be affected by the move.
Examples include organisations that deal with transactions typically relating to healthcare, financial or real estate matters, such as medical check-ups and reports, background credit checks with a credit bureau, and property transactions.
Other organisations include insurance companies, vehicle rental companies, utility service providers and retailers, telecoms providers and veterinary clinics.
The Ministry of Digital Development and Information (MDDI) said on Tuesday that the Infocomm Media Development Authority, Monetary Authority of Singapore and the Ministry of Health have issued guidance to the telecommunications, finance and insurance, and healthcare sectors on ceasing the use of NRIC numbers for authentication within their sectors.
Private organisations will have until Dec 31, 2026, to phase out the use of NRIC numbers for authentication.
In the public sector, the government is moving away from using partial NRIC numbers in progressive stages, as they are not reliable for identifying individuals accurately, MDDI said, as some individuals may share the same partial NRIC numbers. There were instances where two individuals shared both the same name and partial NRIC number.
"Moving away from the use of partial NRIC numbers does not mean that full NRIC numbers will automatically be used in all cases," said MDDI.
"Where there is no need to accurately identify someone, there will not be a need for NRIC numbers to be used at all. When there is a need to identify individuals accurately, such as in licences and employment letters, public agencies will progressively move to using full NRIC numbers instead."
The ministry said it would continue to hold consultations and review public feedback before adjusting guidelines on the use of partial NRIC numbers in the private sector.
Organisations that misuse NRIC numbers may be penalised under the Personal Data Protection Act for failing to make reasonable security arrangements to protect personal data.
The PDPC warned that it will step up enforcement action against such misuse from Jan 1, 2027, including imposing directions or financial penalties for such breaches where appropriate.
The onus is generally on the organisation to assess whether it is required to collect your NRIC number.
If you suspect that an organisation is using your NRIC number improperly, PDPC advises that you seek clarity on its usage with the organisation's data protection officer (DPO). The DPO's contact information can be found in the organisation's privacy policy or through PDPC's DPO enquiry form.
If the DPO does not respond within 10 business days, you can report the incident to PDPC online.
The treatment for NRIC numbers also applies to other identifying numbers such as birth certificate numbers, foreign identification numbers and work permit numbers issued by the Singapore government as those numbers are also permanent and irreplaceable identifiers, said PDP.
Passport numbers, despite being periodically replaced, are also considered important identifying numbers that can serve the same purposes as NRIC, foreign identification, work permit and birth certificate numbers, and thus should be treated similarly to such numbers.
Continue reading...
Authentication refers to the process of proving that a person is who they claim to be, before granting them access to services or information intended only for them. This differs from identification, where identifiers such as names are used to distinguish people.
The latest announcement came as the authorities move to reduce the risk of unauthorised access to services and information.
Here is what you need to know about the NRIC authentication ban:
How did the ban come about?
In 2024, the Accounting and Corporate Regulatory Authority (ACRA) launched the then new Bizfile portal, sparking public backlash after it was found that people's full NRIC numbers and names could be obtained via the portal for free.
Under ACRA's previous system, users could search for people who were office holders or business owners in Singapore, with their names, as well as masked NRIC numbers, turning up in search results.
Users could then pay for the complete set of information about an individual, which would have included his or her full NRIC number as well as an address.
Following the backlash, the PDPC and Cyber Security Agency (CSA) issued a joint advisory last year to private sector organisations clarifying that NRIC numbers should not be misused for authentication.
Government agencies have already moved away from using NRIC numbers for authentication, said the PDPC on Monday.
What would be considered an improper use of an NRIC number for authentication?
According to PDPC's website, organisations are generally not allowed to collect, use or disclose an individual's NRIC number, unless it is required by law or if it is necessary to identify a customer to a high degree of accuracy.
Organisations should also not use NRIC numbers, whether full or partial, as any factor of authentication.
Examples of misuse for authentication include using NRIC numbers – in full or part – as default passwords. This includes cases where the passwords are NRIC numbers on their own or together with other easily obtainable personal data, such as names and birthdates.
This is because NRICs are "issued to uniquely identify a person and must be assumed to have been disclosed to at least a few other persons, which reduces their effectiveness as a factor of authentication", said PDPC on its website.
"When passwords are used to authenticate a person, strong passwords that are not easily guessed should be used. Passwords containing information that can be obtained easily, including personal data such as names, NRIC numbers or birthdates, are not strong passwords."
What organisations are affected by the move?
Any organisation that needs to collect or use NRIC numbers to identify a customer to a high degree of fidelity will be affected by the move.
Examples include organisations that deal with transactions typically relating to healthcare, financial or real estate matters, such as medical check-ups and reports, background credit checks with a credit bureau, and property transactions.
Other organisations include insurance companies, vehicle rental companies, utility service providers and retailers, telecoms providers and veterinary clinics.
The Ministry of Digital Development and Information (MDDI) said on Tuesday that the Infocomm Media Development Authority, Monetary Authority of Singapore and the Ministry of Health have issued guidance to the telecommunications, finance and insurance, and healthcare sectors on ceasing the use of NRIC numbers for authentication within their sectors.
Related:
How can NRIC numbers be used going forward?
Private organisations will have until Dec 31, 2026, to phase out the use of NRIC numbers for authentication.
In the public sector, the government is moving away from using partial NRIC numbers in progressive stages, as they are not reliable for identifying individuals accurately, MDDI said, as some individuals may share the same partial NRIC numbers. There were instances where two individuals shared both the same name and partial NRIC number.
"Moving away from the use of partial NRIC numbers does not mean that full NRIC numbers will automatically be used in all cases," said MDDI.
"Where there is no need to accurately identify someone, there will not be a need for NRIC numbers to be used at all. When there is a need to identify individuals accurately, such as in licences and employment letters, public agencies will progressively move to using full NRIC numbers instead."
The ministry said it would continue to hold consultations and review public feedback before adjusting guidelines on the use of partial NRIC numbers in the private sector.
What sort of action will be taken against those who misuse NRIC numbers?
Organisations that misuse NRIC numbers may be penalised under the Personal Data Protection Act for failing to make reasonable security arrangements to protect personal data.
The PDPC warned that it will step up enforcement action against such misuse from Jan 1, 2027, including imposing directions or financial penalties for such breaches where appropriate.
What can you do if an organisation uses your NRIC number improperly?
The onus is generally on the organisation to assess whether it is required to collect your NRIC number.
If you suspect that an organisation is using your NRIC number improperly, PDPC advises that you seek clarity on its usage with the organisation's data protection officer (DPO). The DPO's contact information can be found in the organisation's privacy policy or through PDPC's DPO enquiry form.
If the DPO does not respond within 10 business days, you can report the incident to PDPC online.
Should other identifying numbers be treated the same way as NRIC numbers?
The treatment for NRIC numbers also applies to other identifying numbers such as birth certificate numbers, foreign identification numbers and work permit numbers issued by the Singapore government as those numbers are also permanent and irreplaceable identifiers, said PDP.
Passport numbers, despite being periodically replaced, are also considered important identifying numbers that can serve the same purposes as NRIC, foreign identification, work permit and birth certificate numbers, and thus should be treated similarly to such numbers.
Continue reading...