NEW advisory guidelines on the use of National Registration Identity Card (NRIC) numbers will be issued by the Personal Data Protection Commission (PDPC), following the government’s change in stance that such numbers should no longer be viewed as private and confidential.
The PDPC also confirmed that companies are still barred from collecting, using or disclosing NRIC numbers and making copies of the identity card, unless they are required by law to do so.
However, any changes to the guidelines will be introduced only after industry and public consultation, the PDPC said on Saturday night (Dec 14).
The commission did not say when the consultation is expected to be completed.
Like any personal identifier, PDPC said that the NRIC number is still subject to the data protection obligations in the PDPA. Therefore, organisations collecting NRIC data must still obtain valid consent and comply with reasonable use and ensure protection.
PDPC noted that it has previously taken action against organisations which have used NRIC numbers for authentication and breached their data protection obligations.
Earlier on Dec 14, a Ministry of Digital Development and Information (MDDI) spokesperson had said that the full NRIC numbers should not be treated as sensitive information, and instead be viewed as full names currently are.
Its response came as concerns were raised over the availability of full NRIC numbers of citizens on the Accounting and Corporate Regulatory Authority’s (Acra) updated Bizfile online portal. The portal is used for business registrations and filings.
Use of NRIC Numbers by Individuals as Passwords
In its statement, PDPC reiterated its recommendations that the NRIC number should not be used as a password.
A password should have a minimum level of complexity such as a minimum of 12 alphanumeric characters with a mix of uppercase, lowercase, numeric, and commonly used phrases or paraphrases.
Use of NRIC Numbers by Organisations to Authenticate an Individual’s Identity
Authentication requires proof of identity, for example, through a password, a security token or biometric data, the PDPC said. As the NRIC number is not a secret, it should not be used by an organisation for authentication purposes. PDPC added that it has consistently taken organisations to task for using NRIC numbers for authentication.
Neither should the NRIC number be used as the default password for services provided to an individual. Organisations that have such practices should phase them out as soon as possible.
The commission added that there should be strong requirements for administrative accounts, such as complex passwords or 2-Factor Authentication and Multi-Factor Authentication, as unauthorised access is one of the most common types of data breaches.
It also referred organisations to its guide to data protection practices for ICT systems. Still, these guidelines appear to be more relevant to companies’ internal cybersecurity practices and not their interactions with customers.
It did not say whether it has taken banks to task for using NRICs as a form of identification either.
In a recent case of identity theft, a couple lost access to their credit cards and bank accounts in October after malicious actors impersonated them over a phone call.
In response, UOB and DBS said that NRIC numbers are one of the pieces of information used to authenticate callers when they receive requests to block cards.
The police confirmed that it has received reports about the incident and are looking into the matter.
Given the concerns, Acra had earlier said on Dec 14 that it had temporarily disabled the updated Bizfile search function, where it was possible to obtain the full NRIC numbers of company office holders and business owners.
MDDI had earlier noted that NRIC numbers can be misused when organisations rely on them as a form of authentication to access information or perform transactions. “But just as our names alone would not be suitable as the basis for such authentication, neither should the NRIC number be used for this purpose,” a MDDI spokesperson had said.
MDDI had also said it and the PDPC will be conducting public education efforts to help Singaporeans adjust to this new way of thinking about NRIC numbers, in which they are no longer considered private and confidential information.