Forum: NRICs not shared the same way as full names are
Sign up now: Get ST's newsletters delivered to your inbox
Follow topic:
I was concerned to read the media release by the Ministry of Digital Development and Information (MDDI), particularly the statement that “there should therefore not be any sensitivity in having one’s full NRIC number made public, in the same way that we routinely share and reveal our full names to others”.
This comparison is flawed. We rarely share our NRIC numbers in the same way we share our full names. We certainly don’t disclose our NRIC numbers routinely, not even for signing up for some business services.
Furthermore, MDDI seems to be placing the onus on citizens to adapt to a “new way of thinking” regarding NRIC numbers. This misses the bigger issue.
The problem lies with the Accounting and Corporate Regulatory Authority (Acra) having previously allowed NRIC numbers to be retrieved easily, with no record of who accessed them. This vulnerability would have opened the door for malicious actors to acquire critical personal information and exploit it for social engineering scams.
Acra’s website revamp (Acra disables search function for NRIC numbers on portal for now, Dec 14) suggests a lack of due diligence or sensitivity to how individuals view the matter. Even if Acra didn’t intend to facilitate data misuse (which may or may not have happened, for all we know), the implementation exposed some citizens’ information far too easily. This seems to have been brushed aside.
Citizens do not know the authentication protocols used by banks, telcos, and government agencies and hospitals. When these entities call, should we expect them to know and recite our NRIC number to us? Or do we now have to be suspicious when told of our NRIC number, full name and other details?
Suggesting that the public needs education or a mindset shift to be less sensitive seems counter-intuitive amid the rise in scams driven by artificial intelligence (using video and voice manipulation).
While the Government is exempt from the Personal Data Protection Act, it shouldn’t be seen to adopt a cavalier approach, especially when private companies face strict regulations and penalties. The spirit of data protection needs consistent application across the board.
Ivan Chew Boon Leong
