Closing Remarks by Minister Josephine Teo at Press Conference on Responsible Use of NRIC Numbers

19 DEC 2024

  1. You have heard from CE ACRA1 and Min Indranee2 on the actions that they have set out to take with regard to Bizfile. My ministry shares the responsibility for how events unfolded, and we too apologise to the public for the anxiety caused.

  2. As I explained in my opening remarks3, we had planned to discontinue the use of masked NRIC numbers within the government, starting with new services, and progressively changing out other services as they are updated. For the private sector, we had intended to consult before making any change; we should have made that clear.

  3. We should also have made clear what we meant by moving away from using masked NRIC numbers. It does not mean automatically unmasking and using the full NRIC number in all circumstances. In other words, just because we move away from using masked NRIC numbers, doesn’t mean that we switch everything into an unmasked NRIC number, fully exposing the NRIC number. In some instances, for example before the doctor performs a procedure or a nurse dispenses us medication, it will be safer and more accurate to use the full NRIC. In other instances, such as signing up for retail membership or lucky draws, there is no need to use the NRIC number at all. There are alternatives like mobile numbers or email addresses that can be used.

  4. In other words, not using masked NRIC numbers does not mean that we will unmask all currently masked NRIC numbers. We should have made this clear.

  5. Having said that, I would like to re-emphasise why the current practices around the use of NRIC numbers today makes us vulnerable, and why we should act while the problem is relatively contained.

  6. Think back to how our NRIC number is like our name. Even though our name is not a secret, if someone we don’t recognise calls out our name and starts to behave as though they know us well, we would be slightly suspicious. We would be polite but not too friendly. We should certainly not share too much with this person, just because they know our name.

  7. In the same way, this is how we should treat anyone who tells us our NRIC number, as a way of suggesting that they know us well. We should be cautious about our interactions. We should certainly be careful about revealing more about ourselves, saying “yes” to their requests or following their instructions without checking further. But this is not the case today. We may assume a caller who can tell us our NRIC number to be a figure of authority. This makes us vulnerable to potential scammers. Some organisations also accept NRIC numbers – whether full or partial – as a way to prove that the person is who he claims to be, and that allows him to access confidential documents like e-statements or controlled services. This is not secure.

  8. These practices and mindsets must change. We know this will take time. That’s why we are not rushing to change policy. We will start by focusing on the incorrect use of NRIC numbers and stopping such practices. This means moving away from using the NRIC number as a password; and moving away from using the NRIC number as an authenticator, to prove that a person is who he claims to be. As I said earlier, within the Government, we are taking steps to do so.

  9. Here, it may be useful to contrast the NRIC number and the NRIC card, because there is some confusion that they are the same. They are not. Let me put this in personal terms, to be precise and specific. I can use my NRIC card both to identify myself, and to prove I am who I claim to be. The reason is not because my NRIC card contains my NRIC number, but because the card also contains other information such as my photo and fingerprint, that allows others to check that my NRIC card matches me, the person holding the card; plus the fact that the NRIC card is not easily faked. But someone providing my NRIC number and claiming to be me, is different from me producing my NRIC card to prove that I am that person. Providing my NRIC number alone should not be accepted as a way to authenticate that the person quoting my NRIC number is actually me.

  10. The proper way to handle NRIC numbers is spelt out in the PDPC’s Advisory Guidelines on the use of NRIC. We will update the Guidelines to help put a stop to the wrong uses of the NRIC number, and to give reassurance to entities who have legitimate reasons to use the NRIC number. We will consult industry before making any changes to the advisory guidelines. Meanwhile the prevailing guidelines remain valid. Therefore, most organisations and individuals can carry on with what they are doing to be careful and responsible in how they collect and use NRIC numbers. They must continue to exercise duty of care in their handling of NRIC numbers. For example, the numbers should not be published unless there are good reasons to do so. For organisations that are not using NRIC numbers, whether full or partial, as password or authenticator, nothing has changed. But if they are, then they should stop these practices as soon as practicable.

  11. I would also like to address a related question on ACRA’s exemption from PDPA requirements. The Government has always taken seriously its responsibility to protect the data entrusted to the public sector and we continue to strengthen our data governance practices. To be clear, the Government’s personal data protection standards, set collectively by the Public Sector Governance Act (PSGA) and our own internal rules, are aligned with the PDPA and adapted to the public service context. So, it is not as though within the Government, there are no rules. There is the PSGA and our internal rules. These internal rules existed even before the PDPA and were updated when the PDPA came into force. ACRA, like other public agencies, is expected to comply with these rules and the Public Sector Governance Act, which are no less stringent than the PDPA requirements, and often more stringent. For completeness, ACRA is also permitted or required by laws like the ACRA Act and Companies Act to share information, and it has to do so within the rules and PSGA requirements.

  12. To conclude, we are taking the public’s concerns on this matter seriously and we want to offer them better protection.

  13. We are not making drastic overnight changes. We do however need to move decisively to phase out the incorrect uses of the NRIC number, the sooner, the better.

  14. This will allow us to more confidently use the full NRIC number as a unique identifier. Thank you very much.

1 Remarks by Chief Executive of ACRA, Mrs Chia-Tern Huey Min

2 Remarks by Ms Indranee Rajah, Minister in the Prime Minister's Office, Second Minister for Finance and National Development

3 Opening Remarks by Minister Josephine Teo at Press Conference on Responsible Use of NRIC Numbers