Personal Data Protection Commission updating guidelines on use of NRIC numbers
Sign up now: Get ST's newsletters delivered to your inbox
The update comes amid Acra temporarily disabling its search function that revealed people's NRIC numbers.
PHOTO: ST FILE
Follow topic:
SINGAPORE – Singapore’s data privacy watchdog is updating guidelines on how National Registration Identity Card (NRIC) numbers can be collected, used and shared.
This follows a Dec 14 statement that the Government intends to move away from the practice of masking NRIC numbers.
Checks on the website of the Personal Data Protection Commission (PDPC) on Dec 14 showed that the guidelines were no longer available.
A notice on the website said: “The document is temporarily unavailable as it is undergoing updates.”
The guidelines were made available again in the early hours of Dec 15.
In response to media queries, the PDPC said its guidelines need to be updated to be aligned with the Dec 14 statement.
“We will not be making any further changes until we have completed our consultations with industry and members of the public. The guidelines will then be updated to align with the new policy intent,” added the PDPC on the night of Dec 14.
The commission had received questions and feedback from the public following the statement by the Ministry of Digital Development and Information (MDDI) on the appropriate use and misuse of NRIC numbers.
PDPC added: “We are sorry for the confusion caused to the public and will fully address the public’s concerns and questions as soon as possible.”
In its 2018 guidelines, the commission had advised people not to provide their full NRIC numbers to companies, unless doing so was legally required or needed to prove one’s identity.
NRIC numbers “can potentially be used to unlock large amounts of information relating to the individual”, it noted.
It advised them instead to provide other personal data, such as cellphone numbers or partial NRIC numbers – for instance, by rendering S0123456A as ****456A – for verification.
On Dec 9, the Accounting and Corporate Regulatory Authority (Acra) launched its new Bizfile web portal, which allowed people to view the full NRIC numbers of others,
This function was temporarily disabled on Dec 13
But in its Dec 14 statement, the Ministry of Digital Development and Information (MDDI) said people can make a good guess at someone’s full NRIC number from the masked number using basic algorithms, “especially if one also knows the year of birth of the person”.
As such, the ministry said “there is no need to mask the NRIC number, nor is there much value in doing so”.
It said the Government had intended to change the existing practice of masking NRIC numbers “only after explaining the issue and preparing the ground”.
Acra’s move on its Bizfile portal had “run ahead of the Government’s intent”, said MDDI. It apologised for not coordinating better between agencies and causing public anxiety.
As a public agency, Acra is exempt from provisions under the Personal Data Protection Act (PDPA) – the set of laws that govern the collection, use and disclosure of personal data by organisations.
Singapore Management University associate professor of law Eugene Tan said the Government’s Dec 14 stance is consistent with the PDPA but “at odds with the public’s understanding and comfort level” on the use of NRIC numbers.
“The official shift in practice towards revealing full NRIC numbers cannot simply ignore this lived reality,” said Prof Tan.
“Singaporeans have been socialised into being sensitive to having their full NRIC number made public, and have accepted and internalised this.”
Technology lawyer David Alfred, the co-head of data protection, privacy and cyber security at Drew & Napier, said MDDI’s Dec 14 statement “is not a fundamental change in approach but more of a clarification as to when NRIC numbers can be collected, used and disclosed”.
Acra has an important role to play in regulating business activities and has good reasons to disclose the identities of company directors and shareholders, he noted. But an organisation may still flout PDPA rules if it collects and uses an individual’s NRIC number from Bizfile where it is not necessary or appropriate.
“I believe the Government needs to find the right balance between disclosure of full NRIC numbers and ensuring that individuals can protect themselves,” said Mr Alfred.
“This likely includes appropriate education of individuals on the use of NRIC numbers and how they can protect themselves against misuse.”
Mr Gilbert Leong, head of Dentons Rodyk’s intellectual property and technology practice, said that if the search function for full names and NRIC numbers is reinstated on Bizfile, it may have implications on how future data breaches are dealt with.
He added that this is especially so when only names and NRIC numbers are compromised, as it can be argued that the data was publicly available from a government website.
Even if there is no sensitivity in having one’s full NRIC number made public, he said, individuals should still disclose such information with caution, and be mindful of the intention of the organisations they are giving personal data to.
“Organisations are obliged to take steps to protect customer data, but the level of protection varies, so consumers should still stop, pause and think why their data is needed,” said Mr Leong.
Mr David Siah, executive vice-president of South-east Asia-Australia at the Centre of Strategic Cyberspace + International Studies, a London-based think-tank, said the NRIC numbers work better as an identifier than names, as they are unique.
With digital services gaining prevalence, he said, it is to be expected that NRIC numbers may be preferred as an identifier, and therefore made much more accessible – even to those with malicious intentions.
Prof Tan suggested that a public education campaign could “re-socialise people’s and organisations’ approach towards the non-masking of NRIC numbers”.
Only when non-masking NRIC numbers is “widely practised and accepted” should public agencies proceed with using full NRIC numbers where necessary, he added.
MDDI has said it will conduct public education efforts with the PDPC in 2025.
These will address how NRIC numbers “should be used freely as a personal identifier in the same way we use our names, as well as the correct steps we ought to take to protect ourselves, which involve proper use of authentication and passwords”, said the ministry.
