How Facebook post led to Government bombshell: Your NRIC number is not secret
Your National Registration Identity Card (NRIC) number is not a secret, said the Personal Data Protection Commission (PDPC) on Dec 14.
This comes after the Accounting and Corporate Regulatory Authority (Acra) said that its new Bizfile online portal provides full NRIC rather than the masked NRIC as part of the search results.
This sparked privacy concerns of Singaporeans such as Stomper Loveoursingapore, who said: "We want our identity card (IC number) to be masked.
"This is because in this world, only in Singapore, the IC number shows our year of birth because in those olden years, those civil servants who set the citizenship system were not innovative, not creative, not clever, not smart enough to use other better ways of assigning the newborn babies, new citizens and new permanent residents with a good numbering system.
"Yes, we do not want to disclose full names too. That is why many of us use English names in the workplace instead of our full names in our birth certificates.
"This is simply because we want to be humble and keep a low profile."
How did it come to this?
It all started from a Facebook post by former Singapore Press Holdings editor Bertha Henson.
She posted on Dec 12:
I got a shock yesterday when I was told that it was easy to get hold of identity card numbers. All someone had to do was log into Bizfile, go to People profile, key in the name - and the IC number would come up. (Sorry. No need to log in, just go to the site and search.) I tried it under my own name this morning and true enough, it was easy to do. Another friend did it for himself, his sister and mother - all of whom had no business with any type of business - and their IC numbers came up too. For good measure, I tried several political leaders - and got theirs as well. And this included someone who was already dead. I was gobsmacked and wondered if this was a breach of PDPA (Personal Data Protection Act). Then again, Bizfile comes under Acra which is exempt from PDPA. It comes under the Public Sector Governance Act which regulates the management of personal information that G(overnment) agencies have. I thought this was a glitch because Bizfile was a 'new' website which went live on Dec 9. Perhaps, someone overlooked the details? If so, this was a loophole that should be closed, in my view. I wouldn't want my IC number bandied around or used for nefarious purposes. In any case, I reported this as an 'incident' to the Ministry of Digital Development and Information because it involved a G entity. I also called the PDPC to give details. I suggested that the officer key in his own name and see what comes up. I then called someone I know in the finance ministry.
She followed up with another post the next day:
I think the first reaction of most people who read my post last night was horror. One or two people berated me for even bringing up the issue, saying that I am merely letting the world, including bad hats, know how to get hold of IC numbers easily. They wondered about my motives. I am glad that everyone acknowledges that IC numbers can be misused. I was ready to think it was a glitch or an oversight because of the new user interface. But the answer I got was a recount of the law exempting G agencies from the basic thresholds of PDPA applied to the private sector.
Addressing the issue, Acra released a statement on its website on Dec 13:
As the national business registry of Singapore, one of Acra's functions is to provide access to information, including full NRIC numbers, of company office holders, so that members of the public who need to transact with these businesses can confirm the identity of the individuals associated with the businesses (e.g. when entering into contracts). The availability of such information supports corporate transparency and trust in the business environment. It also facilitates due diligence checks and guards against illicit activities. Under Acra's previous Bizfile portal, public users could do a search based on an individual's name, and get a list of all individuals who are office holders or business owners in Singapore with that same name, as well as their masked NRIC numbers. Users could then select a specific individual and pay for the complete set of information about that individual, which would include his or her full NRIC number, as well as address. As some individuals prefer to keep private their residential addresses, they can also provide a different contact (e.g. an office address) for the Acra database. Acra's new Bizfile portal retains this same search feature for users. But it provides the full NRIC rather than the masked NRIC as part of the search results. This is in line with the broader government effort to move away from using masked NRIC numbers (as explained separately by Ministry of Digital Development and Information). We recognise that we had moved ahead with the unmasking before public education on the appropriate use of NRIC information could be done. As a result, many reacted negatively to the new search feature, and expressed unease about their full NRIC numbers being made public. Acra has therefore disabled the search function for now. We are sorry for the mistake and for causing anxiety to the public. We will continue to review and update the Bizfile portal to fulfil our role as the national business register of Singapore.
On the same day, the Ministry of Digital Development and Information (MDDI) released its statement:
The NRIC number is a unique identifier assigned by the Singapore Government as a means to identify individuals, and should be used as such. As a unique identifier, the NRIC number is assumed to be known, just as our real names are known. There should therefore not be any sensitivity in having one's full NRIC number made public, in the same way that we routinely share and reveal our full names to others. The problem arises when the NRIC number is misused. For example, this can happen when organisations rely on the NRIC number as a form of authentication to access privileged information or perform privileged transactions. But just as our names alone would not be suitable as the basis for such authentication, neither should the NRIC number be used for this purpose. Likewise, the NRIC number should not be used as passwords, just as we should not be using our names as passwords. If the NRIC number is used for authentication, it would have to be kept a secret, which would defeat its main purpose as a unique identifier. There has for some time been a practice of using masked NRIC numbers (e.g. rendering S0123456A as ****456A). In fact, there is no need to mask the NRIC number, nor is there much value in doing so. Using some basic algorithms, one can make a good guess at the full NRIC number from the masked number, especially if one also knows the year of birth of the person. That is why public agencies are phasing out the use of masked NRIC numbers to avoid giving a false sense of security. The Government's intent was to change the existing practice of masking the NRIC number only after explaining the issue and preparing the ground. We acknowledge that co-ordination could have been better so that Acra's move would not have run ahead of the Government's intent. We apologise for this mistake and for causing anxiety to the public. We recognise that some Singaporeans have long treated the NRIC number as private and confidential information, and will need time to adjust to this new way of thinking about the NRIC number. In the coming year, MDDI and PDPC will be conducting a public education effort about the purpose of the NRIC number, and how it should be used freely as a personal identifier in the same way we use our names, as well as the correct steps we ought to take to protect ourselves, which involve proper use of authentication and passwords.
As PDPC was mentioned in MDDI's statement, PDPC released its own statement on Dec 14 regarding the use of NRIC numbers by organisations to authenticate an individual's identity or set default passwords:
