Disclosure of NRIC Numbers – Government Sets Out Position and Upcoming Guidance

Introduction

The disclosure of National Registration Identity Card (“NRIC“) numbers has been the subject of much attention in recent weeks, after unmasked NRIC numbers were made publicly accessible on the new BizFile portal. Traditionally viewed as personal information bearing some degree of confidentiality, the Government has now indicated that NRIC numbers are assumed to be known and may thus be made public. This has raised questions, particularly from organisations in possession of NRIC information, on how NRIC numbers are to be used and managed.

To address public concerns and queries, various Government agencies have issued statements and clarifications regarding the use of NRIC numbers. This includes:

  • The Ministry of Digital Development and Information’s (“MDDI“) reply to media queries on the disclosure of NRIC numbers on the BizFile system;

  • The Personal Data Protection Commission’s (“PDPC“) reply to media queries on the use of NRIC numbers;

  • The Accounting and Corporate Regulatory Authority’s (“ACRA“) reply to media queries on disclosure of NRIC numbers on the BizFile system; and

  • Press conferences on responsible use of NRIC numbers.

Notably, PDPC has clarified that NRIC numbers are still subject to the data protection obligations in the Personal Data Protection Act (“PDPA“). PDPC has also stated that its Advisory Guidelines on the Personal Data Protection Act for NRIC and other National Identification Numbers (“NRIC Guidelines“) will continue to apply for now, and that it will be updated following consultations.

While further guidance is expected from the respective agencies, in this Update, we highlight the Government’s current position on the use and disclosure of NRIC numbers based on the existing statements and guidelines.

Background

ACRA, as Singapore’s national business registry, launched the new BizFile portal on 9 December 2024. The BizFile portal allows public users to conduct searches for businesses and individuals, providing a list of all individuals who are office holders or business owners in Singapore, as well as their NRIC numbers.

While the NRIC numbers were masked on the previous BizFile portal, the new BizFile portal provided the full NRIC number as part of the search results. ACRA has stated that this is in line with the broader Government effort to move away from using masked NRIC numbers. This led to public queries on the disclosure of full NRIC numbers on BizFile.

ACRA has since stated that it had moved ahead with the unmasking of NRIC numbers before public education on the appropriate use of NRIC information could be done. It has thus disabled the search function on the BizFile portal for now, and will introduce a revised “People Search” function, in which the search results will not show any NRIC number, masked or unmasked. For those who require more information about a specific individual, including the full NRIC number, they will have to make payment to obtain the necessary information from Bizfile. 

Current Position on NRIC Numbers

MDDI provided a reply to media queries on 13 December 2024, offering further insight on the current position with regard to the use and disclosure of NRIC numbers. MDDI clarified that:

  • The NRIC number is a unique identifier and is assumed to be known (similar to an individual’s name). There should not be any sensitivity in having one’s full NRIC number made public.

  • While there has been a practice of using masked NRIC numbers, there is not much value in doing so, as basic algorithms can guess at the full NRIC number from the masked number. Public agencies will thus be phasing out the use of masked NRIC numbers.

MDDI stated that it will be conducting a public education effort about the purpose of the NRIC number, how it should be used freely as a personal identifier, and the correct steps that should be taken to protect ourselves.

Guidance on Use of NRIC Numbers

On 14 December 2024, PDPC provided further guidance on the protection of NRIC information, as well as how NRIC numbers may be improperly used.

  • Use of NRIC as password: The NRIC number should not be used as a password. Anyone who has done so should immediately change their password, observing well established good practices such as a minimum level of complexity. For more details, please refer to guidelines issued by the Cyber Security Agency of Singapore: Importance of Using Strong Passwords, and Ways to Safeguard Your Passwords and Accounts.

  • Use of NRIC for authentication: The Goverment has noted that some organisations have been using NRIC numbers as authenticators, depending on a person producing his full NRIC number as proof that the person is who he or she claims to be, and potentially granting access to privileged information or services. However, NRIC numbers are not a secret and thus (i) should not be used by an organisation for authentication purposes; and (ii) should not be used as the default password for services provided to an individual.

    In designing its authentication practices, organisations should refer to the guidelines issued by PDPC: Guide to Data Protection Practices for ICT Systems. This includes strong requirements for administrative accounts, such as complex passwords or Two-Factor Authentication/Multi-Factor Authentication.

Notably, PDPC has clarified that the NRIC number, as a personal identifier, is still subject to the data protection obligations in the PDPA. Organisations collecting NRIC data must still obtain valid consent and comply with reasonable use and ensure protection.

PDPC has indicated that it will be updating its NRIC Guidelines to align with the new policy intent, to help put a stop to the wrong uses of the NRIC number, and to give reassurance to entities who have legitimate reasons to use the NRIC number. However, this will only be done following the completion of consultations with industry and members of the public.

In the meantime, the current NRIC Guidelines remain valid. Therefore, most organisations and individuals can continue with their current practices regarding the responsible collection and use of NRIC numbers. They must, however, continue to exercise their duty of care in their handling of NRIC numbers. For example, NRIC numbers should not be published unless there are good reasons to do so.

What to Expect Next

As highlighted above, PDPC will be consulting on and updating its NRIC Guidelines. Apart from this, the Association of Banks in Singapore has also stated that banks are conducting a thorough review of their practices on the use of NRIC numbers, and that some existing practices may be changed as a result of that review.

Organisations and stakeholders should thus be vigilant for upcoming industry specific guidelines and interim directions from PDPC, ABS, and other agencies. These will provide essential guidance for how NRIC numbers are to be treated and managed in light of impending policy changes.

Concluding Words

Organisations dealing with NRIC numbers should take note that NRIC numbers are not considered secret information and may be publicly disclosed. There is thus no obligation to mask NRIC numbers in the organisation’s control.

However, organisations should continue to ensure that they comply with the data protection obligations under the PDPA, and that they do not use NRIC numbers as passwords or for authentication.

Organisations should continue to look out for upcoming guidelines and clarifications on the use and management of NRIC numbers. In the meantime, if you have any further queries, please feel free to contact our team.

Click on the following links for more information:


 

Disclaimer

Rajah & Tann Asia is a network of member firms with local legal practices in Cambodia, Indonesia, Lao PDR, Malaysia, Myanmar, the Philippines, Singapore, Thailand and Vietnam. Our Asian network also includes our regional office in China as well as regional desks focused on Brunei, Japan and South Asia. Member firms are independently constituted and regulated in accordance with relevant local requirements.

The contents of this publication are owned by Rajah & Tann Asia together with each of its member firms and are subject to all relevant protection (including but not limited to copyright protection) under the laws of each of the countries where the member firm operates and, through international treaties, other countries. No part of this publication may be reproduced, licensed, sold, published, transmitted, modified, adapted, publicly displayed, broadcast (including storage in any medium by electronic means whether or not transiently for any purpose save as permitted herein) without the prior written permission of Rajah & Tann Asia or its respective member firms.

Please note also that whilst the information in this publication is correct to the best of our knowledge and belief at the time of writing, it is only intended to provide a general guide to the subject matter and should not be treated as legal advice or a substitute for specific professional advice for any particular course of action as such information may not suit your specific business and operational requirements. You should seek legal advice for your specific situation. In addition, the information in this publication does not create any relationship, whether legally binding or otherwise. Rajah & Tann Asia and its member firms do not accept, and fully disclaim, responsibility for any loss or damage which may result from accessing or relying on the information in this publication.

CONTACTS

Head, Technology, Media & Telecommunications
+65 6232 0751
Brunei, Singapore,
Deputy Head, Technology, Media & Telecommunications
+65 6232 0786
Singapore,
Deputy Head, Technology, Media & Telecommunications
+65 6232 0738
Singapore,

Country

EXPERTISE

Share

Rajah & Tann Asia is a network of legal practices based in Asia.

Member firms are independently constituted and regulated in accordance with relevant local legal requirements. Services provided by a member firm are governed by the terms of engagement between the member firm and the client.

This website is solely intended to provide general information and does not provide any advice or create any relationship, whether legally binding or otherwise. Rajah & Tann Asia and its member firms do not accept, and fully disclaim, responsibility for any loss or damage which may result from accessing or relying on this website.

© 2024 Rajah & Tann Singapore LLP. All rights reserved. Rajah & Tann Singapore LLP (UEN T08LL0005E) is registered in Singapore under the Limited Liability Partnerships Act (Chapter 163A) with limited liability.