The Personal Data Protection Commission (“PDPC“) and Cyber Security Agency of Singapore (“CSA“) have issued a joint advisory to advise organisations against using NRIC numbers for authentication.
The advisory sets out the following guidance on the use of NRIC numbers:
- NRIC numbers (full or partial) should not be used as passwords to authenticate a person.
- Organisations should not set NRIC numbers as default passwords, nor should they use full or partial NRIC numbers together with other easily obtainable personal data for authentication.
- Organisations should also be aware that a person may not be who he claims to be just because he is able to state that person’s NRIC number.
The advisory also sets out considerations and options to authenticate persons:
- Organisations should take a risk-based approach when choosing the authentication methods, considering factors such as: (i) value and sensitivity of what is being protected; (ii) potential threats and vulnerabilities of the authentication method; and (iii) user experience and accessibility when using the authentication method.
- Options to authenticate a person include: (i) something only the person knows (e.g. strong passwords); (ii) something only the person owns; or (iii) something only the person has.
Click on the following link for more information:
- Joint Advisory Against Using NRIC Numbers For Authentication (available on the CSA website at csa.gov.sg)
Disclaimer
Rajah & Tann Asia is a network of member firms with local legal practices in Cambodia, Indonesia, Lao PDR, Malaysia, Myanmar, the Philippines, Singapore, Thailand and Vietnam. Our Asian network also includes our regional office in China as well as regional desks focused on Brunei, Japan and South Asia. Member firms are independently constituted and regulated in accordance with relevant local requirements.
The contents of this publication are owned by Rajah & Tann Asia together with each of its member firms and are subject to all relevant protection (including but not limited to copyright protection) under the laws of each of the countries where the member firm operates and, through international treaties, other countries. No part of this publication may be reproduced, licensed, sold, published, transmitted, modified, adapted, publicly displayed, broadcast (including storage in any medium by electronic means whether or not transiently for any purpose save as permitted herein) without the prior written permission of Rajah & Tann Asia or its respective member firms.
Please note also that whilst the information in this publication is correct to the best of our knowledge and belief at the time of writing, it is only intended to provide a general guide to the subject matter and should not be treated as legal advice or a substitute for specific professional advice for any particular course of action as such information may not suit your specific business and operational requirements. You should seek legal advice for your specific situation. In addition, the information in this publication does not create any relationship, whether legally binding or otherwise. Rajah & Tann Asia and its member firms do not accept, and fully disclaim, responsibility for any loss or damage which may result from accessing or relying on the information in this publication.
