Blog
/
Current blog page

The Evolving Story of NRIC in Singapore

Blog
·
January 12, 2025
·
Ethan Seow

Introduction: 

On 9th December 2024, the Accounting and Corporate Regulatory Authority (‘ACRA’) updated Singapore’s Bizfile portal, a digital service portal for business registration, filing and information, which included a new search function that revealed individuals’ National Registration Identity Card (‘NRIC’) numbers that were designated as Personally Identifiable Information (‘PII’) till then. This sparked public concern, especially in light of the increasing prevalence of identity theft scams. More than 500,000 searches for individuals were made on the Bizfile portal during the five-day period from December 9 to 13, when full NRIC numbers were made available. This increased from the usual daily traffic of 2,000 to 3,000 queries through the portal’s free People Search function. Most of these queries came from an estimated 28,000 IP addresses, most from Singapore.

On 14th December, the Ministry of Digital Development and Information (‘MDDI’), in response to concerns, issued a statement that NRIC numbers should be treated like names and not classified as PII. The Personal Data Protection Commission (‘PDPC’) announced on December 16, 2024, that it would update guidelines on NRIC numbers following a public consultation. However, it did not specify when this consultation would conclude. The PDPC emphasised that NRIC numbers remain subject to data protection obligations under the Personal Data Protection Act, 2012 (‘PDPA’), meaning organisations must obtain valid consent for collecting NRIC data, ensure reasonable use, and provide adequate protection. Until now, NRIC numbers were considered PII under PDPC. PII refers to any information that can be used to distinguish one individual from another. Examples include name, email address, and phone number. In the past, NRIC numbers were considered sensitive PII in Singapore because they could be used to identify individuals and access a range of services uniquely. This classification was reflected in the regulations that restricted the collection and use of NRIC numbers by private sector organizations.

A review was launched to investigate how full NRIC numbers came to be revealed by ACRA on its new business portal. The review is expected to be completed in February 2025. The findings of the review will be made public. The PDPC’s FAQ clearly stated that private sector organisations were only allowed to collect, use, or disclose NRIC numbers if required by law or necessary to establish an individual's identity to a high degree of accuracy. However, the MDDI’s initial statement that NRIC numbers are assumed to be known, just like names, contradicts the previous understanding and regulations. Digital Development and Information Minister Josephine Teo has since clarified in Parliament that NRIC numbers remain a form of personal data and should only be collected and used when necessary. While the government has indicated that it will update guidelines on NRIC numbers, the sudden policy shift and lack of a clear alternative system have created uncertainty and raised concerns about data breaches and identity theft.

Main Concerns:

The abovementioned incident raises three main concerns: 

First, there were inconsistencies in government policies, and ACRA was left to take the responsibility for “misinterpreting” an internal circular. At the same time, there were altered positions without adequate public communication on the PDPA website. Truthfully, if ACRA misinterpreted the circular, the initial response from MDDI would have been different, which is why we would like to call out on this issue.

Second, despite the NRIC's integral role in Singapore's identification framework across telecommunications, banking, insurance, and legal sectors, the abrupt policy shift lacks a viable alternative system. On a policy level, this left a bad taste as the organisations have no recommended pathway to rectify the issue, leaving NRIC still the default, while it became “public”, increasing the vulnerability of their verification system.

Thirdly, the significant regulatory change was initially announced casually through a press release rather than formal channels, leading to business implementation ambiguity. The transition from NRIC as a sensitive identifier, while important for privacy protection, faces implementation challenges that could benefit from clearer communication and more systematic execution. Since NRIC usage was historically integrated into many institutional processes, citizens and organisations may require additional guidance to adapt to and embrace alternative identification methods effectively.

Therefore, in hindsight, the general approach was not helpful in addressing the concerns of the policies around NRIC.

What is NRIC?

NRIC is a mandatory identity document for all Singapore citizens and permanent residents aged 15 and above, containing a unique identifier that starts with 'S' (for citizens) or 'F' (for permanent residents) followed by seven digits and a checksum letter. Prior to the Bizlife portal incident, organisations and businesses routinely collected NRIC numbers for purposes ranging from visitor registration and membership applications to event sign-ups and facility bookings, with minimal restrictions on its collection or display.

  1. K-Box and Finantech (Entertainment Chain):
    In the K-Box data breach case of 2012, the personal information of 317,000 members was publicly exposed on pastebin.com. The compromised data included sensitive information such as member names, NRIC numbers, contact numbers, email addresses, gender, nationality, profession and dates of birth. The Personal Data Protection Commission (PDPC) imposed its most severe penalties then, requiring K-Box to pay S$50,000 and Finantech, their data intermediary, to pay S$10,000.
  2. Singapore Telecommunications and Tech Mahindra (Telecommunication company):
    The Singtel breach incident discovered in 2016 occurred due to a coding error made by an IT vendor’s (Tech Mahindra) employee, which resulted in the exposure of one individual’s sensitive personal data to other users of Singtel’s OnePass feature. The exposed information included the individual’s NRIC and Singtel account number, potentially accessible to 2.78 million users. The responsibility was placed on the vendor, Tech Mahindra, which was fined S$10,000 for the breach.

On 11th January 2025, The Immigration and Checkpoints Authority (ICA) temporarily suspended an electronic service that allowed Singapore residents to change their residential addresses online after it was discovered that perpetrators were using stolen or compromised Singpass accounts to change the addresses of victims. The perpetrators would then use the changed address to set a new password for the victim’s Singpass account. While it is stated in the press release that the incident has nothing to do with the ACRA NRIC incident, it was suspiciously close to the incident, and therefore, we included it here.

As a part of confirmation of the sensitivity of NRIC number, in an incident reported on 26th January 2025, personal data of over 3,300 individuals, including their NRIC, was leaked due to a ‘technical issue’ at the regulator for property agents. It was considered a data privacy issue.

The debate surrounding the classification of NRIC in Singapore is complicated by the definitions of PII and Personal Data.

Part of the core of this issue is the definition of Personal Data (PD) and Personally Identifiable Information (PII). In Singapore, we use PD as our reference, following the European systems of classifying the information, but often our reports talk about PII, which is not a regulated term.  This leads to a few confusions. The GDPR's definition of PD is very broad. It includes any information that can be connected to a living person who can be identified. The GDPR considers seemingly harmless pieces of information as personal data if they can be combined to identify a person, even if each piece alone can't identify anyone. For instance, knowing someone's birth date or zip code might not be enough to identify them on its own, but when combined, they could. Therefore, even if NRIC numbers are treated like names, they would still be considered personal data under the GDPR framework because they relate to an identifiable individual. Meanwhile, in Singapore we use PII and PD quite interchangeably. And in the debates that followed after the ACRA incident, it was about whether NRIC was a PII or not.

When we were debating as to whether NRIC would be a PD, by any definitions above, it would be automatically assumed as PD. However, the conversation that brewed afterwards was whether NRIC was to be classified as a PD was circular, being more similar to a discussion as to whether NRIC should be included in a static checklist, which is closer to the impression that people have of PII. While names are considered PII, they are non-sensitive, therefore generally not subject to the same level of protection as sensitive PII like NRIC numbers were previously.  Again, these are not official legal terms being utilised, which furthered the confusion, until Minister Josephine Teo confirmed that NRIC numbers were PD and should be regulated as such.

A Global Lens: National ID Systems 

The National identity systems are essential in establishing individual identities and facilitating access to services. Notably, several jurisdictions treat their national identification numbers with the same level of sensitivity as Singapore does Personally Identifiable Information (PII), implementing strict protections and usage restrictions.

Comparative Table:

Parameters Jurisdiction Definition Governing Authority Purpose Privacy Status Data Collection Enrollment Process
National ID Cards
Aadhar India A 12-digit unique identification number for residents. Any resident of India, regardless of age or gender, can voluntarily enrol for an Aadhaar number. Set up in 2009, the Aadhaar number has lifetime validity and is unique to each individual. Unique Identification Authority of India (UIDAI) Authentication of identity for various services. Governed by The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 and subsequent amendments. The Act establishes strict privacy safeguards, including data minimisation principles and purpose limitation. Collects biometric and demographic data during enrollment. Managed by UIDAI with private entities as enrollers.
Social Security Number (SSN) United States A 9-digit number primarily for tracking social security benefits. Originally introduced in 1936 to track individuals' earnings for Social Security benefits, the SSN has evolved into a de facto national identification number used for various purposes, including taxation and credit tracking. Social Security Administration (SSA) Record-keeping for social security benefits and taxation. Governed by federal laws, including provisions that offer some privacy protections under the Privacy Act of 1974. Collects demographic data; no biometric data collected. Managed by SSA with strict guidelines for enrollment.
National Insurance Number United Kingdom An alphanumeric identifier (typically two letters, six digits, and one final letter) used to track taxes, social security contributions, and certain state benefits. Usually assigned around age 16 or upon starting work in the UK. HM Revenue & Customs (HMRC) and the Department for Work & Pensions (DWP) Used for tax, National Health Service (NHS) entitlements, state pension tracking, and other public services requiring proof of contributions or benefits. Covered under the UK Data Protection Act 2018 and UK GDPR, which imposes strict obligations on data controllers regarding storing and processing personal information. Primarily collects demographic data (name, date of birth, address). No biometric data is typically collected when issuing NINs. Typically, it is assigned automatically around age 16 if you are a UK resident. Non-UK residents who start work apply via the DWP or Jobcentre Plus. Interviews/ID checks may be required.
Citizen Service Number (BSN) Netherlands A unique number assigned to residents for services. The BSN was introduced in 2007. The BSN consists of 8 or 9 digits and does not have any specific geographical significance since the introduction of randomization in assignments. Ministry of the Interior and Kingdom Relations Access to public services and identification. BSN is subject to strong privacy protections under the EU General Data Protection Regulation (GDPR). Organisations outside the government can only use the BSN if explicitly permitted by law, ensuring that its application is limited and controlled. Collects demographic data; no biometric data collected. Managed through local municipalities.
Identity Card Germany A government-issued ID card for citizens. Introduced in 2010, the ID card includes a contactless chip that stores all data found on the card, except for height, eye colour and signature. Federal Ministry of the Interior Identification and access to various services. The identity card is governed by the Identity Card Act (PAuswG), which outlines strict regulations regarding the storage and processing of personal data. This law mandates that personal information, including biometric data, can only be accessed by authorised entities. Collects demographic data; biometric data optional. Managed through local authorities with specific requirements.

Charting The Way Forward: 

Modern authentication tools offer significant advantages: they are generally more difficult to compromise, can be updated if breached, and provide better audit trails. For example, South Korea's Digital Identity system uses a combination of blockchain and decentralised identifiers (DIDs) with biometric verification, while India's Aadhaar authentication utilises multi-modal biometrics (fingerprints, iris scans) combined with one-time passwords (OTP). These systems support advanced security features like digital signatures and encryption. Denmark has successfully implemented NemID, a two-factor authentication system combining a password with a physical code card or mobile app, demonstrating the feasibility of transitions. While shifting away from NRIC numbers as an authentication method will enhance the security of the digital economy over time, the challenge arises from the fact that alternative systems were not fully established before ACRA revealed NRIC numbers.

The change of stance regarding NRIC's status away from being sensitive data represents a significant departure from Singapore's historically careful approach to personal data protection. While the transition away from NRIC as a primary identifier may be necessary in today's digital landscape, the abrupt nature of this change raised serious concerns. The comparative analysis shows that other jurisdictions treat their national identification numbers with heightened security and implement strict usage controls, suggesting Singapore's sudden policy reversal diverges from international best practices. The implementation challenges are particularly acute for organisations that have built their verification systems around NRIC usage. Even if NRIC numbers are treated like names, the ease of accessing them online and the lack of a robust alternative system raise concerns about data breaches and identity theft. Without adequate notice, clear guidelines, or established alternatives, businesses face uncertainty in adapting their operations to this new paradigm.

Therefore, looking at an effective alternative solution should be the best move beyond the review to be published by February 2025.

Related blog posts

Simplifying Cybersecurity: Why Jargon Fails and Clear Communication Wins

Blog
·
December 1, 2024
Read more

Bridging the Cybersecurity Skills Gap: The Demand for Tier 2 & 3 Talent in the Age of GenAI

Blog
·
December 1, 2024
Read more

6 Straightforward Reasons Why Cybersecurity Is Simpler (and More Important) Than You Think for Your Business

Blog
·
December 1, 2024
Read more
Discover
HomeAboutBlogContact Us
Courses
All courses
Cybersecurity Strategies for Enterprises
C-Suite Table Top Exercises (TTX)
Teaming Exercises (Red/Blue/Purple)
Policies
Privacy PolicyTerms of Service
Social