Singapore’s government has addressed recent controversy surrounding the unmasking of National Registration Identity Card (NRIC) numbers on the Bizfile portal, a public database managed by the Accounting and Corporate Regulatory Authority (ACRA). The incident occurred due to a misinterpretation of an internal circular from the Ministry of Digital Development and Information (MDDI). The situation emerges as Singapore continues expanding its digital identity infrastructure, including recent initiatives to enable digital ID usage for in-person government services.
During a press conference on December 19, 2024, Minister for Digital Development and Information Josephine Teo and ACRA’s chief executive Chia-Tern Huey Min issued formal apologies for the incident. “We are very sorry to have caused them much anxiety,” said Minister Teo, acknowledging public concerns about the handling of personal data. Teo, who has been instrumental in shaping Singapore’s digital transformation strategy, has previously emphasized the importance of secure digital infrastructure at regional technology forums.
The government has clarified its intention to move away from using masked NRIC numbers, which “can provide a false sense of security,” according to Minister Teo. The NRIC’s primary purpose is to serve as a unique identifier, similar to a name, rather than as an authentication tool. The change supports Singapore’s broader digital identity strategy, which increasingly focuses on modern authentication methods, including biometric verification systems similar to those used by financial institutions like Tiger Brokers Singapore.
For private sector organizations, the government has committed to a consultation process before implementing any changes. The administration will update the Personal Data Protection Commission’s (PDPC) Advisory Guidelines regarding NRIC number usage to provide clearer direction on appropriate use cases. The PDPC has been actively involved in developing frameworks for responsible data usage, including recent guidance on AI ethics and data protection.
The new approach distinguishes between situations requiring full NRIC numbers, such as healthcare procedures, and those where NRIC numbers should not be used at all, such as lucky draws or property access management. For the latter cases, alternatives like phone numbers or email addresses are recommended. The policy revision reflects growing awareness of identity protection best practices and matches international standards for personal data protection.
ACRA’s unmasking of NRIC numbers on the Bizfile portal resulted from staff misinterpreting an internal circular that directed government agencies to stop using masked NRIC numbers in new business processes and services. The implementation occurred without the intended phased approach and consultation process, highlighting the challenges of managing complex digital identity systems in an increasingly connected environment.
Sources: South China Morning Post, Mothership, MDDI, The Straits Times, The Straits Times
Follow Us