NRIC numbers should not be used as passwords or for authentication: S’pore data privacy watchdog
Sign up now: Get ST's newsletters delivered to your inbox
Organisations should not use NRIC numbers to authenticate users’ identities and must obey laws governing the use of NRIC data, says the Personal Data Protection Commission.
ST PHOTO: SHINTARO TAY
SINGAPORE - NRIC numbers should not be used as passwords, Singapore’s data privacy watchdog has reiterated.
Organisations should also not use NRIC numbers to authenticate users’ identities and must obey laws governing the use of NRIC data, said the Personal Data Protection Commission (PDPC).
“Like any personal identifier, the NRIC number is still subject to the data protection obligations in the Personal Data Protection Act,” the commission added.
“Therefore, organisations collecting NRIC data must still obtain valid consent, and comply with reasonable use and ensure protection.”
PDPC’s remarks on Dec 14 came in response to the authorities’ statement earlier in the day that the Government intends to move away from the practice of masking NRIC numbers.
The commission said it sought to emphasise its recommendations on how NRIC numbers should be treated, given the public attention drawn to the matter.
For one thing, NRIC numbers should not be used as passwords, “just as our names are not used as passwords”, it said.
People who have done so should immediately change their passwords, PDPC added.
“If the change function cannot be found on the service portal, it is best to contact the service provider immediately for advice to change the password,” it said.
In addition, organisations should not use NRIC numbers for authentication – that is, to prove that a person is who he claims to be.
This is because NRIC numbers are not secret, PDPC said.
It added that it had previously taken action against organisations that used NRIC numbers for authentication and breached their data protection obligations.
“A person’s name and NRIC number identify who the person is,” it said. “Authentication is about proving you are who you claim to be. This requires proof of identity, for example, through a password, a security token or biometric data.”
PDPC also said organisations should not use NRIC numbers as the default password for services provided to individuals.
“Organisations that have such practices should phase them out as soon as possible,” it said.
It also recommended sturdy defences for administrative accounts to prevent data breaches. These include complex passwords or two-factor authentication, which requires two distinct forms of identification before granting access.
This issue arose when the Accounting and Corporate Regulatory Authority (Acra) launched its new Bizfile web portal on Dec 9, allowing people to search for and view the full NRIC numbers of others,
After members of the public raised privacy concerns, the function was temporarily disabled
On Dec 14, the Ministry of Digital Development and Information (MDDI) said the NRIC number is assumed to be known, just as names are known.
“There should therefore not be any sensitivity in having one’s full NRIC number made public, in the same way that we routinely share and reveal our full names to others,” said an MDDI spokesperson.
The authorities said they had planned to change the existing practice of masking NRIC numbers after educating the public and preparing the ground.
Acra had moved ahead with the NRIC unmasking, running ahead of the Government’s intent, said MDDI.
Both the ministry and Acra apologised for causing public anxiety, in their Dec 14 statements.
In its statement, PDPC also apologised for the confusion caused, and said it would fully address the public’s concerns and questions as soon as possible.
Experts spoken to said that currently, an NRIC number in the wrong hands has the potential to cause real harm.
Technology lawyer David Alfred, the co-head of data protection, privacy and cyber security at Drew & Napier, said that if a person’s full name and NRIC number were obtained by someone with malicious intent, there is a risk of identity theft or other criminal activities.
In relation to identity theft, with an individual’s full name and NRIC number, a malicious actor could gain access to other personal information, said Mr Alfred. This could raise the risk of identity theft, he added, or even allow a malicious actor to access individuals’ accounts with other organisations.
A malicious actor could also masquerade as a government officer or an employee of a trusted organisation, such as a bank, to obtain account information or commit other criminal activities, he said.
