In a move reflecting evolving attitudes towards data privacy, the Personal Data Protection Commission (PDPC) has announced that it will update its advisory guidelines regarding the use of National Registration Identity Card (NRIC) numbers. This change comes after the public raised concerns about the implications of the new Bizfile portal, which had made full NRIC numbers accessible online.
Government’s Stance on NRIC Numbers
The Ministry of Digital Development and Information (MDDI) stated that NRIC numbers should no longer be regarded as sensitive information, paralleling how full names are treated. With this shift in perspective, the PDPC aims to ensure that companies continue to handle NRIC data according to existing data protection laws.
Consultations Before Changes
- The PDPC will hold consultations with industry players and the public before rolling out new guidelines.
- Despite the proposed changes, companies remain barred from collecting or disclosing NRIC numbers without a legal requirement.
- Public feedback has prompted the PDPC to clarify its position on the appropriateness of using NRIC numbers for authentication.
Authentication and Password Guidelines
Addressing how organisations handle identity verification, the PDPC advised against using NRIC numbers as passwords—a recommendation that seems intuitive, yet important. Instead, it suggested using complex passwords with at least 12 alphanumeric characters and enabled two-factor authentication for added security.
Public Education Initiatives
The MDDI and PDPC plan to educate citizens on the appropriate use of NRIC numbers by 2025, helping people grasp their role as personal identifiers rather than secretive credentials. They’ll also focus on how to safeguard personal information, reducing reliance on possibly insecure forms of authentication.
Temporary Measures in Response to Concerns
In response to the uproar over the Bizfile portal’s functionality, the Accounting and Corporate Regulatory Authority (Acra) has temporarily disabled its updated search feature, which provided access to full NRIC numbers of company officers.
This proactive measure showcases a recognition of the public’s unease, and both MDDI and PDPC remain committed to addressing these privacy concerns with ongoing public dialogues and adjustments to guidelines.