NRIC numbers aren't secret, but you shouldn't freely post them online. Here's why.

A lot has been said about the NRIC number in recent days.

Is it secret? Is it sensitive?

If the influx of information makes you feel like you're seeing things from more perspectives than before, we've got you.

Here's a crash course to clear things up.

NRIC numbers aren't secret, but they're still (kinda) sensitive.

Let's take it back to 2018 for a sec.

Singapore in 2018 was a different time.

Companies could collect NRICs (and their associated details) freely, and they did: everyone, from hotels to bicycle rental kiosks at East Coast Park.

In the name of data protection, the government put a stop to this via a set of new guidelines issued by the Personal Data Protection Commission (PDPC).

Non public-sector companies would no longer be allowed to collect, use, or disclose Singaporeans' NRIC numbers, unless required by law or when really necessary.

Unsurprisingly, many Singaporeans took this to mean that NRIC numbers were confidential and secret.

They became widely used as a form of authentication, which is a fancy word that means "to prove your identity".

Want to view your payslip? Your credit card statement? Your insurance policies? Key in your NRIC, please, and thank you.

More importantly, though, people began to see the NRIC as a sort of secret code.

If someone used your NRIC number — such as government agencies, when sending official text messages — it'd only be natural to see such a person as an authority figure.

It was so secret, in fact, that some people would use their NRICs as passwords for website access, accounts, and so on.

But the government has now made it clear: NRICs are not secret.

The "masked" version of NRICs that we've all become fairly comfortable with — S****123A, for instance — are apparently not quite as secure as we'd thought.

Through the use of algorithms, and particularly if someone has your birthdate as well, it is possible to "make a good guess" at your full NRIC number, according to the Ministry for Digital Development and Information Josephine Teo.

So, NRICs aren't secret information.

It's possible for a scammer to get hold of your NRIC number and impersonate a police officer to get you to hand over your money — and even to access your personal documents or accounts that are password-protected with your NRIC number.

But just like how you wouldn't blurt out your full name or address to anyone who asks, maybe don't post your NRIC numbers online either.

After all...

NRIC numbers still have a function. They're identifiers, not authenticators.

Imagine you're in a hospital.

There are two people sitting in the waiting room. One woman is here because she has a bout of the flu; the other is due for a massively invasive surgery.

And, by pure coincidence, they're both called Tan Jia Yee.

This is when an NRIC number would come in quite handy.

Right before entering the operating room, the doctor would probably ask the woman to recite her full NRIC number, just to make sure she's the right Tan Jia Yee.

In other words, the NRIC number is being used as an identifier — a means of ensuring that you have the right individual. Or the right Tan Jia Yee, in this case.

The fact that the NRIC number is used to verify a person's identity means it's probably not a complete secret.

The doctor, the nurse, and the other Tan Jia Yee eavesdropping on the conversation might also have access to this bit of information.

But it's still a crucial piece of information that you might not necessarily want the whole world to know.

And so the NRIC does still have a function — identification.

Masking an NRIC number may not be valuable. That doesn't mean it's public information.

As mentioned, masked NRIC numbers can potentially be used to deduce an individual's full NRIC number.

But does that mean that everyone's full NRIC numbers should be put out there? Hard no.

That, in fact, was related to how the original Bizfile issue came about in the first place.

The government, hoping to move away from the flawed masked-NRIC system, put out a circular to other agencies to stop masking NRICs in new processes and services.

But this was, unfortunately, interpreted as an order for ACRA to unmask NRICs in its new Bizfile portal.

However, the intention was for government agencies to use full NRICs internally, to avoid any cases of misidentification.

Not, as how ACRA interpreted it, for NRIC numbers to be made public, to the private sector and beyond.

Teo clarified that for purposes of identification outside the government, it may not be necessary for NRIC numbers to be used at all, as phone numbers or email addresses can be used instead, for instance.

She emphasised:

"In other words, not using masked NRIC numbers does not mean we will unmask all currently masked NRIC numbers. So I want to say that again, not using masked NRIC numbers does not mean that we will unmask all currently masked NRIC numbers.

We should have made this clear too."

Point taken.

OK, so how now?

The immediate impact of this: The government will soon commence its efforts to stop agencies from using NRIC numbers as passwords or authenticators.

Public consultations will be done, the PDPC guidelines will be updated, and public education efforts will be initiated to get Singaporeans up-to-date on best practices for their NRIC numbers.

In the meantime, organisations should begin to phase out using NRIC numbers for authentication purposes.

And if you happen to have your NRIC number set as your Netflix login — well, you should probably change that too.

Top image by Mothership