THE Accounting and Corporate Regulatory Authority (Acra) will remove National Registration Identity Card (NRIC) numbers from its “people search” function on its Bizfile portal when it is relaunched some time next week, the authority said on Thursday (Dec 19).
But users can still purchase reports of individuals to access their full NRIC numbers.
At a joint press briefing, Acra chief executive Chia-Tern Huey Min apologised for causing anxiety and concern over the disclosure of NRIC numbers in its portal, and said that they were revealed in full due to a misunderstanding between the authority and the Ministry of Digital Development and Information (MDDI).
Earlier in July, MDDI had issued a circular for government agencies to stop using masked NRIC numbers in new business processes and services.
“Acra had sought to clarify with MDDI what was the scope and implementation timeline of this new requirement, but communications between the two agencies was not sufficiently clear,” said Chia-Tern.
“Acra then proceeded on the misunderstanding that it should unmask NRIC numbers in the new BizFile portal. This was a mistake on Acra’s part, and I apologise for it.”
BT in your inbox
Start and end each day with the latest news stories and analyses delivered straight to your inbox.
On Dec 12, members of the public found that the Bizfile portal showed full NRIC numbers in its search results, raising privacy concerns.
The portal had made the feature available after it was updated on Dec 9. A prior version of the portal showed masked NRIC numbers, revealing just the last four alphanumeric characters of the number.
A revised function
On Dec 13, the “people search” function was disabled. When a revised function is introduced next week, search results will not show any NRIC numbers, Second Minister for Finance Indranee Rajah said at a press briefing on Thursday.
Those requiring more information about specific individuals can pay to obtain the information from the national regulator. This is a service that it has to provide as the national business register, in line with laws administered by Acra such as the Acra Act and the Companies Act, she added.
At Thursday’s press briefing, Minister for Digital Development and Information Josephine Teo said: “My ministry shares the responsibility for how events unfolded, and we, too, apologise to the public for the anxiety caused.”
Minister Indranee noted that there will be a review of the incident to find out how the misunderstanding came about, and if anything should be done relating to the incident after considering its impact.
She acknowledged that while the removal of NRIC numbers from the Bizfile record display could make the service less convenient, it was also necessary to restrict the searchability of NRIC numbers.
She noted that users can also use the entity search to narrow their search results if they know which company a person is affiliated to. She added that the authorities are looking into ways to make searches easier for the public while addressing privacy concerns.
Minister Teo said that she understood why there could be some confusion among the public about the government’s current stance on NRIC numbers.
She said that the government’s move to eliminate the use of masked NRIC numbers came about because it recognised that the practice created a false sense of security among Singaporeans on how the data can be used.
Full NRIC numbers can be derived relatively easily from masked numbers, especially if a person’s date of birth is known, she added.
Furthermore, Teo said that the government should have made clear that just because it was moving away from using masked NRIC numbers does not mean that full NRIC numbers will be used in all circumstances.
While it may be more useful for doctors and nurses to identify a patient with their full NRIC number before providing treatment, she said that alternatives, such as phone numbers or e-mail addresses should be used for lower-fidelity use cases, such as membership sign-ups or lucky draws.
Teo said that while the government had planned to re-establish the idea of using full NRIC numbers as unique identifiers through public awareness campaigns, the communication plans were not ready.
“Keep in mind that continuing to use masked NRIC numbers within government will also run the risk of giving ourselves a false sense of security, so we decided that it was better to move ahead with making the change in government,” she said.
Private sector approach to NRIC numbers
Teo also acknowledged that while the government may have decided to stop the practice of using masked NRIC numbers, there may have been confusion around the government’s stance on private sector companies’ approach to masked NRIC numbers.
Currently, the Personal Data Protection Commission’s (PDPC) advisory guidelines state that companies that collect masked NRIC numbers are not subjected to the NRIC guidelines, although they are still responsible for putting in place adequate measures to protect personal data.
Teo said: “We have not taken a position on what (the stance) should be for the private sector, and consultation is necessary before we land on a position that is appropriate for the private sector.”
The PDPC’s existing advisory guidelines will also remain in force until new guidelines are updated after a public consultation by the commission, which is slated to start in 2025, the ministry said.
Teo added that due to the incident involving the Bizfile portal, the timeline for the government to roll out changes to NRIC numbers and communicate these changes to the public has become “more compressed”.
In the meantime, she urged companies to stop using NRIC numbers to authenticate interactions with the public.
“Organisations also need to know, through public education, that this is inappropriate,” she said.
“Although this has always been the position and PDPC has taken organisations to task, I think the fact that some organisations still use it for authentication speaks to the fact that the public education has not gone far enough.”
Use of NRIC in bank transactions
In a separate statement, the Association of Banks in Singapore (ABS) said that banks are conducting a thorough review of their practices on the use of NRIC numbers, and that some existing practices may be changed as a result of that review.
Customers who have used their NRIC numbers or other personal identifiable information – such as their date of birth – as their password for login should change them, it added.
ABS noted that NRIC numbers alone cannot be used to make payments and fund transfers.
Banks apply multi-factor authentication at login for online financial services and there is an additional layer of control to authorise activities with higher risk – such as raising fund transfer limits or adding a new payee – after login.
However, it noted that some banks have opted to use NRIC numbers in urgent situations, such as when they are responding to ongoing scams. In such events, they are used to quickly identify customers in need of immediate assistance to prevent fraudulent transactions.