Use of partial NRIC numbers for identification not reliable, public sector to phase it out: Jasmin Lau
Sign up now: Get ST's newsletters delivered to your inbox
Private organisations that have not phased out the use of NRIC numbers for authentication will risk breaching the Personal Data Protection Act from Jan 1, 2027.
PHOTO: ST FILE
- Singapore is moving away from partial NRIC numbers due to unreliability in identifying individuals accurately.
- Full NRIC numbers will be used for accurate identification, like in official documents, but avoided when not necessary.
- Organisations risk breaching PDPA from Jan 1, 2027, if they misuse NRIC numbers for authentication; public awareness campaigns ongoing since June 2025.
AI generated
SINGAPORE – Public agencies are starting to use full NRIC numbers and progressively moving away from using partial numbers, as the latter are not reliable for identifying individuals accurately.
But this does not mean that full NRIC numbers will automatically be used instead.
When there is no need to accurately identify someone, NRIC numbers will not be used at all, Minister of State for Digital Development and Information Jasmin Lau told Parliament on Feb 3.
She was replying to a question from Mr Sharael Taha (Pasir Ris-Changi GRC) on what has been done to ensure the appropriate use of citizens’ NRIC numbers across public and private sector transactions.
Explaining the Government’s move away from partial NRIC numbers, Ms Lau said: “Partial NRIC numbers, like the last four characters, are not reliable for identifying people because some individuals share the same partial NRIC numbers. Some individuals even share both the same name and partial NRIC number.”
She added: “Where individuals must be identified accurately, agencies are starting to use the full NRIC number instead, such as in official documents such as licences and employment letters issued by the Government.”
Ms Lau said the Government will consult the private sector before changing existing guidelines over the use of partial numbers to strike a balance between protecting personal data and meeting legitimate business needs.
The policy shift away from regarding NRIC numbers as sensitive information came into public knowledge after such numbers belonging to key representatives of companies in the Accounting and Corporate Regulatory Authority’s database were revealed by mistake on its new Bizfile web portal on Dec 9, 2024
Since then, the Government has been taking steps to ensure the proper use of NRIC numbers across the public and private sectors.
These include a joint advisory by the Personal Data Protection Commission and Cyber Security Agency of Singapore, issued in June 2025, urging organisations to stop using NRIC numbers as passwords or to authenticate individuals.
This means that people should not use such numbers, in full or in part, as default passwords. They also should not be combined with easily obtainable personal data such as names and birthdates (for example, “567A01Jan80”) for passwords.
Ms Lau said the Government is working with sectors like telecommunications, finance and insurance, and healthcare to stop these practices.
Private organisations that have not phased out the use of NRIC numbers for authentication will risk breaching the Personal Data Protection Act
Since June 2025, the Government has been educating the public about proper NRIC number use through social media, the traditional media, roadshows and community touchpoints.
It will continue its national campaign across multiple platforms in English and vernacular languages, to raise public awareness and understanding on the proper use of such numbers.
“We recognise that organisations need time to adapt to these changes. During this transition period, we encourage the public to continue reporting cases where NRIC numbers are mishandled, as the feedback helps us ensure proper implementation,” said Ms Lau.
