Private organisations still using NRIC numbers for authentication may face sanctions from 2027
Sign up now: Get ST's newsletters delivered to your inbox
Government agencies have already stopped using NRIC numbers for authentication.
ST PHOTO: MARK CHEONG
SINGAPORE - Private organisations that have not phased out the use of NRIC numbers for authentication will risk breaching the Personal Data Protection Act (PDPA) from Jan 1, 2027.
In a statement on Feb 2, the Personal Data Protection Commission (PDPC) said organisations that continue to use NRIC numbers for authentication to access personal data may be failing to make reasonable security arrangements to protect personal data. This would constitute a breach of the PDPA.
“From Jan 1, 2027, the PDPC will step up enforcement action against such misuse, including imposing directions or financial penalties for such breaches where appropriate,” said the commission.
“Organisations may also refer to PDPC’s latest advisory on good practices for protecting personal data, including NRIC numbers.”
The PDPC and Cyber Security Agency of Singapore in June 2025 issued a guide
This includes using full or partial NRIC numbers as default passwords, whether on their own or together with other easily obtainable personal data such as name and date of birth.
“Such passwords should not be used to access digital documents or to allow access to an individual’s account,” said PDPC in its Feb 2 statement.
Government agencies have already stopped using NRIC numbers for authentication.
The Infocomm Media Development Authority, the Monetary Authority of Singapore and the Ministry of Health have also issued guidance to the telecommunications, finance and insurance, and healthcare sectors on ceasing the use of NRIC numbers for authentication within their sectors.
The policy shift away from using NRIC numbers for authentication happened after such numbers belonging to key representatives of companies registered under the Accounting and Corporate Regulatory Authority’s database were revealed by mistake
Since then, the Government has been taking steps to ensure the proper use of NRIC numbers across the public and private sectors.
Experts said moving away from NRIC numbers for authentication and turning to more secure methods
Experts estimated a timeline of three to six months for larger organisations such as major banks, telecommunications companies and healthcare groups to fully set up the infrastructure for more secure authentication methods.
Smaller organisations that rely on NRIC numbers as a form of authentication could take even longer to adapt, depending on the complexity of the changes, regulatory compliance checks and vendor capabilities, according to experts.
