NRIC numbers should not be used as passwords or for authentication: Personal Data Protection Commission

National Registration Identity Card (NRIC) numbers should not be used as passwords, said the Personal Data Protection Commission (PDPC).

The national data privacy watchdog also warned against organisations using NRIC numbers to authenticate an individual’s identity or set default passwords.

The statement on Dec. 14 follows public attention on the disclosure of NRIC number on the Accounting and Corporate Regulatory Authority's (ACRA) new Bizfile portal.

The Ministry of Digital Development and Information (MDDI) had said in an earlier statement on Dec. 13 that it intends to move away from the practice of masking NRIC numbers.

MDDI said:

"As a unique identifier, the NRIC number is assumed to be known, just as our real names are known.

As such, there should "not be any sensitivity in having one's full NRIC number made public."

Like any personal identifier, however, the NRIC number will still be subjected to the data protection obligations in the

Personal Data Protection Act (PDPA), PDPC reiterated.

Use of NRIC numbers by individuals as passwords

The NRIC number should not be used as a password, just as personal names are not used as passwords, PDPC said.

"Anyone who has done so should immediately change their password," the commission emphasised.

“If the change function cannot be found on the service portal, it is best to contact the service provider immediately for advice to change the password,” it added.

Use of NRIC numbers by organisations for authentication

As the NRIC number is not a secret, it should not be used by an organisation for authentication purposes, PDPC said.

"A person’s name and NRIC number identifies who the person is. Authentication is about proving you are who you claim to be. This requires proof of identity, for example, through a password, a security token or biometric data," it explained.

Action will be taken against organisations who have used NRIC numbers for authentication, the watchdog added.

The NRIC number should also not be used as the default password for services provided to an individual and organisations that have such practices are advised to phase them out as soon as possible.

While the government is moving away from masking the NRIC number, the number is still subject to the data protection obligations in the Personal Data Protection Act (PDPA).

Therefore, organisations collecting NRIC data must still obtain valid consent and comply with reasonable use and ensure protection, PDPC said.

PDPC’s advisory guidelines

Following MDDI's statement on the appropriate use and mis-use of NRIC numbers, PDPC has received questions and feedback from the public, it said.

"We recognise that the PDPC advisory guidelines for NRIC and National Identification Numbers needs to be updated to be aligned with the statement," it said.

"We are sorry for the confusion caused to the public and will fully address the public’s concerns and questions as soon as possible."

The commission said it will not be making any further changes until they have completed consultations with industry and members of the public.

The guidelines will then be updated to align with the new policy intent.

NRIC numbers publicly listed on new ACRA website

A recently-launched digital portal by the Accounting and Corporate Regulatory Authority (ACRA) was found to have a somewhat alarming new feature: the ability to search for citizens' NRIC numbers.

Through the platform's new "People Profile" feature, Singaporeans' full NRIC numbers can be searched, simply by keying in the citizen's name.

This included politicians and people who were deceased.

The feature was described as a means to help users "search for business information" and "[track] the business entities a person is/was involved in", according to the website.

In a Frequently Asked Questions segment about the platform, ACRA explained that the NRIC numbers are not masked to allow for "clear and unambiguous identification of individuals associated with businesses".

In 2019, the Personal Data Protection Commission (PDPC) announced that organisations would be legally barred from collecting, using, or disclosing NRIC numbers.

Top photo from ICA