MDDI Urges Private Sector to Stop Using NRIC for Authentication Amid Data Privacy Concerns

SINGAPORE: In a significant move to bolster data security, the Ministry of Digital Development and Information (MDDI) has urged private sector organisations to refrain from using National Registration Identity Card (NRIC) numbers for authentication processes. This advisory, issued jointly with the Personal Data Protection Commission (PDPC) and the Cyber Security Agency (CSA), comes in response to the rising risks of impersonation and data breaches.

Risks of Using NRIC Numbers

MDDI highlighted that while NRIC numbers can identify individuals over the phone or during digital transactions, they should not be relied upon for proving a person’s identity when accessing sensitive information or services meant solely for them. “Using NRIC numbers as passwords is particularly dangerous,” the MDDI stated, noting that these details could easily be known by others.

Recommendations for Organisations

  • Stop using NRIC numbers as default passwords in password-protected files.
  • Avoid combining NRIC numbers with other easily accessible personal data, like birthdates.
  • Consider alternatives such as strong passwords, security tokens, or biometric methods for authentication.

The ministry emphasised that organisations must be responsible in deciding how to authenticate users, suggesting a risk-based approach—taking into account the sensitivity of the information being protected.

Ongoing Government Efforts

Since January 2024, the government has been actively working on measures to ensure proper NRIC usage in the private sector, with plans to assist regulated sectors like finance, healthcare, and telecommunications in developing specific guidelines to ensure compliance.

Minister for Digital Development and Information, Josephine Teo, reiterated the government’s commitment to protecting citizens’ personal data. Following public backlash over data mismanagement—such as the incident involving the Accounting and Corporate Regulatory Authority’s (ACRA) new portal—this directive aims to restore citizen confidence and enhance data security.