How should individuals and the private sector handle NRIC numbers?
Sign up now: Get ST's newsletters delivered to your inbox
Modern technology has made it easy to decipher the full NRIC number from a partial or masked number, making its use vulnerable.
PHOTO: ST FILE
Follow topic:
SINGAPORE – While Singapore is moving away from the use of masked NRIC numbers, it does not mean that they should be widely shared.
Here are some pointers from Digital Development and Information Minister Josephine Teo’s ministerial statement widespread disclosure of NRIC numbers
Individuals
Individuals who include parts of their NRIC number in their passwords should update them immediately to make it harder for fraudsters to exploit those numbers to access privileged information or services.
Those who have used their NRIC number as a password to access any information or service have wrongly used it as an authenticator.
Modern technology has made it easy to decipher the full NRIC number from a partial or masked number, making its use vulnerable.
Do not simply trust anyone who can recite your NRIC number as it could be a fraudster, said Mrs Teo, who added: “We should be cautious about revealing more about ourselves, or saying ‘yes’ to their requests, or following their instructions, without checking further.”
For extra security, Singpass users can change their user ID from their NRIC number, which is set by default, to something else.
Private organisations
Organisations that use NRIC numbers as a means of authentication or as part of a default password should stop doing so as soon as possible.
This process is not to be confused with the use of a physical or digital NRIC card, which is accepted as a means of authentication because it is a government-issued secure document. It also contains other information such as the individual’s photo and fingerprint that can be used to verify the person holding the card.
In short, NRIC cards can be used for authentication, but NRIC numbers alone should not.
Where necessary, organisations may continue to collect NRIC numbers, which remain classified as personal data that requires protection. Mrs Teo said companies that collect them must exercise a duty of care to protect the data and seek consent from individuals on its use, where required under the law.
The collection of full NRIC numbers is justifiable as a way to identify people in some instances, such as when financial aid is being disbursed.
Private sector firms that collect partial NRIC numbers to identify people can continue doing so as the guidelines for the private sector are unchanged for now, before consultations with the public.
Public sector
All public sector agencies have stopped using NRIC numbers as authenticators, following the Ministry of Digital Development and Information’s internal circular that was sent in July, said Mrs Teo.
The Government moved first to update the way that NRICs are used within the public sector, and asked agencies to stop using the NRIC number as an authenticator or password, she said.
Government agencies will still ask individuals for their full NRIC numbers where necessary, such as when applying for subsidies or benefits, said Mrs Teo, who added that each use merits its own considerations.
Correction note: This article has been edited for clarity.
