Ministerial Statement by Minister Josephine Teo on Responsible Use of NRIC Numbers
MINISTERIAL STATEMENT BY MINISTER JOSEPHINE TEO ON RESPONSIBLE USE OF NRIC NUMBERS, ON 8 JANUARY 2025
Mr Speaker,
1. Members have filed a total of 51 Parliamentary Questions on NRIC policy and the disclosure of NRIC numbers on ACRA’s Bizfile portal. Second Minister for Finance Ms Indranee Rajah and I will be making Ministerial Statements to address the issues raised. Our statements will address Questions 1 to 37 for oral answer in yesterday’s Order Paper; Questions 3 to 8 and 39 to 44 for written answer in yesterday’s Order Paper; Question 52 for oral answer in today’s Order Paper, and related questions that have been filed for subsequent sittings.
2. Let me start by acknowledging concerns raised by the public over NRIC policy. The Bizfile incident is unfortunate. Without intending to, it led the public to believe that the Government is changing its policy to allow full NRIC numbers to be exposed on a wide scale. This is not the case.
3. We take the public’s concerns seriously and are very sorry for the mistake that caused them much anxiety.
4. I want to reassure the public that NRIC numbers remain personal data. NRIC numbers can only be collected when there is a need to do so. Organisations that collect NRIC numbers also have a duty of care. Subject to applicable law, they must notify and seek consent on use, and ensure protection of the data. These are existing guidelines that will not change.
5. However, there are also some incorrect uses of the NRIC number today. Our plan was to stop these incorrect uses while the problem is relatively contained. Doing so will better protect everyone and allow us to use NRIC numbers with confidence.
6. In this regard, my Statement today will address two issues
a. The current incorrect uses of NRIC numbers and why we need to change; and
b. What our next steps will be.
7. Sir, when we interact with others daily, we are identified by our names. However, our names may not be unique. For organisations that deal with many people, say a hospital with several patients named John Tan, they need a better way to uniquely identify them.
8. Their NRIC number is a useful unique identifier in such situations. When the hospital needs to perform an operation or dispense medication, the doctor or nurse must make absolutely sure that it is the right John Tan they are dealing with, and they should ask you, “What is your NRIC number?”.
9. Since the NRIC number’s purpose is to be a unique identifier, it cannot be a secret, just as our names are not secret. I should emphasise, however, that while your NRIC number is not a secret, it is not meant to be widely disclosed. This is the concern echoed in Mr Lim Biow Chuan’s question.
10. We would only disclose our NRIC number under certain circumstances, for example, when required by law. Some examples include disclosing our NRIC number to our employers, at the clinic, or when we subscribe to a mobile telephone line. Because we do have to disclose our NRIC number to others for such purposes, we must assume that at least some people know our NRIC number.
Incorrect uses of NRIC numbers
11. Over time, however, NRIC numbers have become increasingly used as more than an identifier. Previously, organisations would require seeing my physical NRIC card to confirm that I am who I claim to be. However, some organisations assume that if someone can cite my NRIC number, that person must be me! This is clearly wrong.
12. On the assumption that this person is indeed me, some organisations may go further to give the person access to privileged information or services. When used this way, my NRIC number is no longer just an ID, or identifier, but a key to unlock more information or services. In such situations, the NRIC number is being accepted as an authenticator, or proof of who a person claims to be. This is clearly inappropriate.
13. Instead of the full NRIC number, some organisations collect and use a partial NRIC number, usually the last four characters of the NRIC number. They think that this is safe, and that revealing only the last four characters still keeps the full NRIC number secret. Among public agencies, even when the agencies had the full NRIC numbers, the use of masked NRIC numbers became more common.
14. Besides organisations, some individuals also started to use their NRIC numbers as their passwords. They did so under the impression that the full NRIC number is secret.
15. However, as shown by Dr Tan Wu Meng in his question, there are now algorithms that can be found online, that have made it easier to work out the full NRIC number from the partial or masked NRIC number. The easy availability of such algorithms means that the continued use of partial or masked NRIC numbers gives both organisations and individuals a false sense of security. This does not really keep the full NRIC number secret. This also makes the practice of using NRIC numbers as passwords even more inappropriate.
Government started taking steps to stop incorrect uses
16. To the questions by Dr Tan, Mr Liang Eng Hwa and Ms Sylvia Lim, these developments led the Government to take steps to stop the incorrect uses of the NRIC number.
17. This meant two things: one, not using the NRIC number as an authenticator; and two, moving away from the use of masked NRIC numbers, because it creates a false sense of security.
18. We knew this transition would take time. But it was better to start while the problem is relatively contained, and for the Government to take the lead. To the question by Ms Joan Pereira, We proceeded to ask agencies to stop using the NRIC number as an authenticator or as a password. We also asked agencies not to plan new uses, with a view to discontinuing existing uses of masked NRIC numbers eventually.
19. The lapse in coordination between agencies led to ACRA’s misunderstanding, and the disclosure of full NRIC numbers in the People Search function of its new Bizfile portal.
20. In hindsight, what we should have made clear was that moving away from the use of masked NRIC numbers did not mean automatically using the full NRIC number instead in every case. At no point was our intention to disclose full NRIC numbers on a wide scale.
21. In place of masked NRIC numbers, in some instances, there would be no need for the NRIC number at all. In other instances, names alone or some other identifier would be sufficient. But there could also be instances where full NRIC numbers should be used, instead of masked NRIC numbers. Each case would have to be assessed and decided individually.
22. Members including Mr Leong Mun Wai, Mr Liang Eng Hwa, Mr Xie Yao Quan, Ms Jessica Tan, Mr Dennis Tan, and Mr Pritam Singh, have asked about the internal processes leading to ACRA’s actions. Minister Indranee will say more about it in her statement later, and address Members’ questions related to ACRA.
The plan for the private sector
23. Ms Cheryl Chan asked why the efforts to change did not include the private sector.
24. The Government knew that it would take time for public sector agencies to make the change. We expected that it would take even longer for the private sector, because of longstanding practices and habits.
25. The plan was therefore to change the internal practices of Government before moving to change practices in the private sector and non-profit organisations, which Ms Usha Chandradas asked about. We believed that doing so would allow us to better understand the implementation challenges, and as a result, facilitate a smoother transition in the private sector.
26. We had also planned to mount a major effort to help Singaporeans be aware of the risks and to support efforts to stop incorrect practices.
27. The Bizfile incident was an unfortunate misstep which now means these plans need to be brought forward.
28. While we had taken steps to stop the incorrect uses of NRIC numbers in the public sector, we had not started implementation for the private sector. Mr Edward Chia, Mr Liang Eng Hwa, Ms Hazel Poa, and Mr Xie Yao Quan have asked specifically what should be done in the private sector.
What should private sector organisations do?
29. At this stage, we would advise private sector organisations to do two things.
30. First, private sector organisations that are using NRIC numbers as a factor of authentication or as default passwords should stop this practice as soon as possible.
31. Second, private sector organisations that presently collect partial NRIC numbers to identify people can continue to do so. The guidelines for the private sector have not yet changed and we will only consider how they should be updated after consulting the public.
32. To questions by Mr Xie Yao Quan, Mr Melvin Yong, and Mr Sharael Taha, we aim to start consultations soon and will provide details when ready. Our initial soundings with the private sector suggest there can be different approaches.
33. Some organisations currently using partial NRIC numbers can stop the practice and replace them with alternative means of identification such as mobile numbers or email addresses, or drop them entirely. But there are also organisations that need to accurately identify persons and can justify the collection of full NRIC numbers even if they are not required by law. For example, preschool centres will prefer to collect the full NRIC numbers of visitors rather than just the mobile numbers; the parents will certainly feel more secure. In applications for and disbursements of substantial financial aid, persons would also need to be accurately identified.
34. We will take these considerations on board when updating the guidelines. In any case, I would like to assure members like Ms Jean See and Mr Ong Hua Han that PDPC will support businesses in changing their authentication methods. This will include raising their awareness on why the use of NRIC numbers as a factor of authentication is unsafe and working through IMDA and CSA’s programmes to help businesses review and adjust their practices.
35. To questions by Ms Tin Pei Ling, Mr Zhulkarnain Abdul Rahim, and Assoc Prof Jamus Lim, I should emphasise that NRIC numbers are personal data. This means that organisations collecting and using NRIC numbers must continue to exercise a duty of care. Subject to applicable law, they must notify and seek consent on use, and also ensure the data is sufficiently protected. Certainly, they should not disclose the NRIC numbers unless there is good reason to do so.
The physical NRIC card
36. Members may also ask, if the NRIC number is not suitable as an authenticator, what about the physical NRIC card, our pink identity card?
37. If we look at our physical NRIC card, we will see that it contains other identifying information such as our photo and fingerprint. It allows others to check that the information on the card matches me, the person holding the card. In addition, the physical NRIC card is not easily faked.
38. The physical NRIC card is therefore suitable as an authenticator, or proof of who I claim to be. But someone providing my NRIC number and claiming to be me, does not have these additional factors of proof.
39. Organisations must know that the physical NRIC card and NRIC number are two different things. The physical NRIC card can be an authenticator, but the NRIC number should not be used as an authenticator. Organisations should therefore not accept my NRIC number alone as proof that the person citing it is me.
What should individuals do?
40. Besides organisations, individuals too have questions about what they should do. There are also two things.
41. The first is to clarify their understanding of the NRIC number. Members like Ms Sylvia Lim asked about this.
42. We have said that our NRIC number is like our name. Even if it is not widely disclosed, it is not secret.
43. In our daily lives, if someone we do not recognise calls out our name and starts to behave as though they know us well, we would be slightly suspicious. We might be polite but not too friendly. Certainly, we should not fully trust this person, just because they know our name.
44. This should also be how we treat anyone who tells us our NRIC number. We should not automatically assume that they know us well, or are figures of authority, or can be trusted. We should be cautious about revealing more about ourselves, or saying “yes” to their requests, or following their instructions, without checking further.
45. The second thing we can do as individuals is to review our passwords.
46. If we have used our NRIC number as a password to access any information or service, we have mistakenly used it as an authenticator and should change the password immediately. Doing so will give us better protection against people who use our NRIC number to get access to information or services. It will also complement efforts by organisations to stop using the NRIC number as a factor of authentication.
47. To Ms Hany Soh’s question, NRIC-related scams are not new. Most NRIC-related scams involve victims who think they are speaking to figures of authority and end up taking actions that harmed themselves, such as transferring money without further checks. Very few cases have involved scammers directly using NRIC numbers to unlock access to valuables.
48. Several members have also asked how to mitigate the risks when NRIC numbers are disclosed. They include Mr Zhulkarnain Abdul Rahim, Mr Edward Chia, Mr Christopher de Souza, Mr Ong Hua Han, Mr Liang Eng Hwa, Ms Jessica Tan, Mr Louis Chua, Ms Cheryl Chan, Mr Sharael Taha, and Mr Yip Hon Weng.
49. As I have explained, the risks arise from the incorrect uses of the NRIC numbers. If individuals stop using NRIC numbers as passwords, and organisations stop using NRIC numbers as authenticators, this will go a long way to preventing harms from scams and identity theft. They will give us all better peace of mind to use the NRIC number whenever it is necessary, such as to get medical treatment or apply for jobs.
Focus of public education
50. Sir, the government appreciates that the incorrect uses of the NRIC number may not be well understood. Our public education efforts will raise awareness among organisations and individuals, and to guide them on what they should do. In doing so, we will focus on the points I highlighted above.
51. Mr Gerald Giam asked about alternatives to the current NRIC number system. In fact, the risks do not arise directly from the structure of the NRIC number. Rather, the risks arise when the NRIC number, which is meant to be a unique identifier, is incorrectly used as an authenticator or a password. Even if we were to create an alternative identifier, we would still have a problem if organisations used it as an authenticator, and individuals used it as a password.
Government agencies have strict data protection standards
52. Sir let me turn now to questions about ACRA’s exemption from PDPA requirements, and the Government’s data protection measures. These were raised by Ms Tin Pei Ling, Ms Sylvia Lim, Mr Saktiandi Supaat, and Mr Patrick Tay.
53. The Government has always taken seriously its responsibility to protect the data entrusted to the public sector. The Government’s personal data protection standards are set collectively by the Public Sector (Governance) Act (PSGA) and our own internal rules.
54. The PSGA is aligned with the PDPA and adapted to the public service context. Our internal rules are comprehensive and take reference from industry and international standards. We also continually strengthen our data governance practices.
55. ACRA is expected to comply with these rules and the PSGA, which are no less stringent than the PDPA requirements. Regular, mandatory audits are conducted to ensure that public agencies, including ACRA, comply with the standards for data protection and the security of ICT systems. The number of data incidents and their severity is published annually.
56. In the most recent whole-of-Government audit exercise on IT-related data security controls, there were very few significant findings, and all of them had been remediated by the agencies concerned. There has also been a reduction in data incidents of medium severity and above. Where necessary, we have also taken public servants to task, for example, in serious cases involving unauthorised disclosure or improper use of information.
57. Members can be reassured that we take these rules and controls very seriously. We will continue to regularly review the safeguards to ensure they remain relevant.
Conclusion
58. Sir, let me conclude.
59. We understand the public’s concerns about NRIC numbers. It was not our intention to make the full NRIC number widely disclosed and we are not heading in that direction.
60. NRIC numbers are personal data and can only be collected and used when there is a need to. Organisations that hold your NRIC number also have a duty of care – subject to law, they must notify and seek consent on use, and ensure protections. These are existing guidelines that will not change.
61. What needs to change are the incorrect uses of the NRIC number. These include using NRIC numbers for authentication or as passwords. It is better to make these changes while the problem is relatively contained. Organisations and individuals can both help by taking steps to stop using NRIC numbers as authenticators or passwords.
62. By taking action as soon as possible, we can increase protection for all of us. This will allow us to more confidently use the full NRIC number as a unique identifier whenever we need to do so.
63. Mr Speaker, please allow me to summarise a few key points in Mandarin, please.
64. 议长先生,政府了解国人对于正确使用身份证号码的议题十分关注。我想在这里重申,政府并不打算让身份证号码成为广泛公开的信息。
65. 身份证号码是属于你我的个人资料,在有必要的时候才使用或透露给他人。
66. 除非法律规定, 任何机构想索取并保留我们的身份证号码,都得事先说明用途并征求我们的同意,以及确保身份证号码受到妥善的保护。这些现有的指导原则没有改变。
67. 但我们必须改变的,是一些错误使用身份证号码的做法。例如,我们不应该使用身份证号码来验证一个人的身份,更不应该把身份证号码设置为密码。
68. 我们应该趁问题还不太严重之前及时纠正。无论是机构或个别人士都可以尽一份力,不再把身份证号码当成是身份的证明或是密码。
69. 只要我们尽早采取行动,就可以加强我们的保护网。这样一来,我们才能在有必要时,更有信心地应用身份证号码,作为识别身份的工具。
70. Mr Speaker, with your permission, I will respond to any clarifications which Members may have, after Minister Indranee Rajah has also made her Statement.