IC numbers remain personal data that must be protected

NRIC numbers remain a form of personal data and should only be collected and used when necessary, said Digital Development and Information Minister Josephine Teo in Parliament on Jan 8.

Organisations that collect NRIC numbers still have a duty of care and must notify and seek consent on the use of the data and protect it, she said in a ministerial statement to answer at least 50 questions from MPs over the recent wide-scale exposure of NRIC numbers.

“These are existing guidelines that will not change,” she added.

The Accounting and Corporate Regulatory Authority (Acra) had caused a storm among the public after launching its new Bizfile portal on Dec 9 that allowed the full NRIC numbers of registered people on its database to be retrievable for free via its search function by mistake.

The feature was taken down on Dec 13 in the light of public backlash.

Mrs Teo acknowledged the concerns raised by the public and said: “The recent Bizfile incident is unfortunate. Without intending to, it led the public to believe that the Government is changing its policy to allow full NRIC numbers to be exposed on a wide scale.

“This is not the case.” 

Mrs Teo added: “We take the public’s concerns seriously and are very sorry for the mistake that caused them much anxiety.” 

Some MPs had asked about the rationale behind the plan to stop the practice of masking NRIC numbers and whether the number is still considered confidential.

Others had asked about what private organisations should do and whether the mishandling of NRIC numbers by private firms was still considered a data breach. MPs also asked about measures in place to protect citizens from an increased likelihood of impersonation scams.

Mrs Teo addressed the incorrect uses of NRIC numbers in her speech and outlined the next steps for the private and public sectors. 

Incorrect uses of NRIC number

NRIC numbers are a means to identify individuals, but some organisations have wrongly used the numbers as a means of authentication – which assumes that a person is who he claims to be simply because he can cite an NRIC number, she said. 

Some organisations have gone a step further by granting a person access to privileged information or services. 

“When used this way, my NRIC number is no longer just an (identifier) but a key to unlock more information or services,” said Mrs Teo. 

“This is clearly inappropriate,” she added. 

Another example is when some organisations collect and use partial NRIC numbers – typically the last four characters of an individual’s NRIC number.

“They think that this is safe, and that revealing only the last four characters still keeps the full NRIC number secret,” said Mrs Teo, adding that the use of masked NRIC numbers had become more common even within public agencies.

Some individuals also used their NRIC numbers as their passwords, believing that they are secret, she said.

But today, algorithms available online can easily decipher the full NRIC number from partial or masked numbers, said Mrs Teo, responding to security concerns raised by Dr Tan Wu Meng (Jurong GRC).

The availability of such algorithms means that the continued use of partial or masked NRIC numbers gives organisations and individuals a false sense of security, said Mrs Teo.

“This does not really keep the full NRIC number secret,” she said. “This also makes the practice of using NRIC numbers as passwords even more inappropriate.”

The Government moved first to stop the incorrect uses within the public sector and asked agencies to stop using the NRIC number as an authenticator or password, said Mrs Teo.

Plans went forth within the public sector first as a test bed to understand potential challenges of implementing the changes before moving to the private sector, she said.

“We knew this transition would take time,” she said. “But it was better to start while the problem is relatively contained, and for the Government to take the lead.”

She added: “We also asked agencies not to plan new uses, with a view to discontinuing existing uses of masked NRIC numbers eventually.”

Instructions for the private sector

Private sector organisations that are using NRIC numbers as a means of authentication or as a default password should stop doing so as soon as possible, said Mrs Teo.

Insurance companies, for example, often use partial NRIC numbers and birthdates as an automated default password to allow customers to access private documents. Insurers and banks are in the midst of reviewing their processes.

Organisations that collect partial NRIC numbers to identify people can continue to do so as those guidelines for doing so have not yet changed, said Mrs Teo, adding that changes will only be introduced after consulting the public.

“We aim to start consultations soon and will provide details when ready.”

Early talks with private sector players suggest several approaches to data collection, Mrs Teo said. Some organisations that use partial NRIC numbers can replace them with other means of identification, such as contact numbers, or drop them entirely, she said.

But some organisations justifiably rely on the collection of full NRIC numbers even if they are not required to by law.

Pre-school centres, for instance, prefer to collect full NRIC numbers of visitors rather than just the mobile numbers, as parents feel more secure, said Mrs Teo.

Individuals applying for substantial financial aid from various organisations will also need to be accurately identified, she added.

What should individuals do?

Mrs Teo urged individuals to be wary of trusting unsolicited callers simply because they are able to recite their NRIC number.

She said: “If someone we don’t recognise calls out our name and starts to behave as though they know us well, we would be slightly suspicious. We might be polite but not too friendly.

“Certainly, we should not fully trust this person just because they know our name.”

Those who have used their NRIC number as a password to access any information or service should change the password immediately, she said.

If individuals and organisations stop the use of NRIC numbers as a means of authentication, it will go a long way to prevent fraud, said Mrs Teo, in reply to concerns about the risk of scams following Acra’s disclosure of the NRIC numbers.

She said: “Most NRIC-related scams involve victims who think they are speaking to figures of authority and end up taking actions that harmed themselves, such as transferring money without further checks.

“Very few cases have involved scammers directly using NRIC numbers to unlock access to valuables.”

Mrs Teo said: “By taking action as soon as possible, we can increase protection for all of us. This will allow us to more confidently use the full NRIC number as a unique identifier whenever we need to do so.”