NATIONAL Registration Identity Card (NRIC) numbers should not be treated as sensitive information, and instead be viewed as full names currently are, a Ministry of Digital Development and Information (MDDI) spokesperson said on Saturday (Dec 14).
“As a unique identifier, the NRIC number is assumed to be known, just as our real names are known.
“There should therefore not be any sensitivity in having one’s full NRIC number made public, in the same way that we routinely share and reveal our full names to others,” the spokesperson said.
The response comes after public concern over the availability of full NRIC numbers of citizens on the Accounting and Corporate Regulatory Authority’s (Acra) Bizfile online portal. The portal is used for business registrations and filings.
The MDDI spokesperson added that NRIC numbers can be misused when organisations rely on them as a form of authentication to access information or perform transactions.
“But just as our names alone would not be suitable as the basis for such authentication, neither should the NRIC number be used for this purpose,” the spokesperson said.
BT in your inbox
Start and end each day with the latest news stories and analyses delivered straight to your inbox.
The spokesperson acknowledged the existing practice of collecting masked NRIC numbers (which, for instance, reveal only the last four digits) by organisations – however, these numbers can already be easily derived through basic algorithms, especially if the birth year of the person is known.
Furthermore, the spokesperson noted that public agencies have been phasing out the use of masked NRIC numbers to avoid giving a false sense of security.
“The government’s intent was to change the existing practice of masking the NRIC number only after explaining the issue and preparing the ground.”
Search feature disabled
In response to the media’s queries about disclosures of NRIC numbers on the Bizfile system, Acra said that one of the system’s functions is to provide access to information – such as full NRIC numbers – so that the public can confirm the identity of individuals. This may be important for business contracts, for example.
“The availability of such information supports corporate transparency and trust in the business environment. It also facilitates due diligence checks and guards against illicit activities,” it said.
Acra said that the previous Bizfile portal allowed users to search for an individual, who may be a company office holder or business owner in Singapore, and obtain his or her name and masked NRIC numbers.
“Users could then select a specific individual and pay for the complete set of information about that individual, which would include his or her full NRIC number, as well as address,” it said.
While the updated Bizfile portal, which was launched on Dec 9, retains the same search feature for users, it provided full rather than masked NRIC numbers, hence the public concerns.
Acra has disabled the search feature for now, apologising for “causing anxiety to the public”.
“We recognise that we had moved ahead with the unmasking before public education on the appropriate use of NRIC information could be done,” it said.
“As a result, many reacted negatively to the new search feature, and expressed unease about their full NRIC numbers being made public.”
An MDDI spokesperson said: “We acknowledge that coordination could have been better so that Acra’s move would not have run ahead of the government’s intent.”
The spokesperson added that MDDI and the Personal Data Protection Commission (PDPC) will be conducting public education efforts to help Singaporeans adjust to this new way of thinking about NRIC numbers, in which they are no longer considered private and confidential information.
Change in approach to NRIC numbers
The comments suggest a change in the government’s stance towards the use of NRIC numbers.
Since Sep 1, 2019, organisations have been legally barred from collecting, using or disclosing NRIC numbers or making copies of identity cards as part of stricter rules enforced by PDPC.
At the time, it was noted that companies were collecting NRIC details for frivolous reasons, such as booking a movie ticket or renting a bicycle.
“Where the collection, use and disclosure of NRIC numbers or retention of physical NRICs is permitted, organisations must ensure that adequate protection measures are in place to safeguard the personal data in their possession or under their control, in compliance with their obligations under the Public Data Protection Act,” the commission said then.
On its website, the PDPC also states that organisations collecting partial NRIC numbers up to the last four alphanumeric characters are not subject to NRIC guidelines, “but must still ensure that they put in place adequate measures to protect the NRIC details and other personal data”.
It is unclear whether companies will be able to collect full NRIC numbers from customers for any purposes beyond those in regulated sectors, such as banking and telecoms.
If so, this could potentially create new vulnerabilities in different settings.
In a recent case, a couple found their credit cards cancelled and bank accounts blocked after their identities were stolen while they were travelling in Japan in October.
A UOB spokesperson told the media that callers are required to provide personal details of cardholders, such as NRIC numbers, card and account details to make such moves. He added that this is in line with industry standards.
DBS also noted that callers only need to provide an account holder’s full name and phone or NRIC numbers for cards to be blocked.
Other countries that issue unique personal identifiers have also faced challenges in ensuring the protection of such numbers.
In September, over 270 million Americans were believed to have had their unique social security numbers leaked on the dark web after data broker company National Public Data suffered a data breach.
Under certain circumstances, such as active identity theft or danger to personal safety, citizens can make a report to the Federal Trade Commission and request for a change in social security numbers.
