Officers, leaders involved in NRIC unmasking saga may face financial consequences

SINGAPORE: Appropriate actions are being taken with officers and leaders at the Ministry of Digital Development and Information (MDDI) and the Accounting and Corporate Regulatory Authority (ACRA) who were involved in last year's Bizfile incident.

While there was no malicious intent or wilful wrongdoing, there were shortcomings in the communication and implementation of policy changes in the use of National Registration Identity Card (NRIC) numbers, and in the implementation and oversight of the People Search function of Bizfile, the ministry and agency said in separate statements on Monday (Mar 3).

MDDI, ACRA and its parent ministry, the Ministry of Finance (MOF), issued the statements after a review panel released its report looking into how full NRIC numbers ended up being displayed in search results on Bizfile for five days last year.

The panel concluded that a "confluence" of six shortcomings led to ACRA misunderstanding MDDI's intentions, and unmasking the NRIC numbers on the Bizfile portal, which is run by ACRA.

MDDI and ACRA said they accepted the findings and acknowledged the shortcomings that had been identified.

"We apologise again for our oversight, which had caused public anxiety and concerns. In this incident, the public service did not perform to the level we set for ourselves," they said.

The ministry and agency said they have thoroughly reviewed the actions and responsibilities of those involved in the incident, and "appropriate actions" are being taken. 

"This includes reviewing performance assessments, which will carry financial consequences, as well as counselling and additional training," they said.

ADDRESSING THE SHORTCOMINGS

MDDI and ACRA also laid out the steps they will take in light of the Bizfile incident.

The ministry said it is developing further guidance to government agencies on how to apply the policy on NRIC numbers. 

It has identified close to 800 existing use cases of partial NRIC numbers in public-facing systems, each with their specific context and characteristics. 

MDDI said it would improve coordination with agencies to support them in the implementation.

It will also strengthen internal processes and staff training to provide clear explanations of the broader policy context and considerations when issuing directives. 

The ministry has also reminded agencies of the government's existing data management policies and standards regarding the collection, use and disclosure of personal data, including NRIC numbers. It will conduct refresher briefings to reinforce understanding.

MDDI said the government remains committed to protecting the personal data of citizens. It will also consult industry and the public before making any changes in guidelines on the use of NRIC numbers in the private sector. 

ACRA said it would improve communications internally and externally so that important information is sufficiently shared and leaders can make informed decisions. 

It will also conduct more regular system reviews to evaluate data security and protection risks, and implement appropriate security measures if vulnerabilities are found. Such reviews will especially be conducted before, during and after major IT system changes.

ACRA said it will strengthen oversight of vendors to ensure that systems are implemented effectively and in line with requirements. For Bizfile, a review by the Government Technology Agency (GovTech) found that some security features were not adequately implemented.

The agency will refine its vendor management framework to put additional safeguards in place.

MOF said it would support ACRA in its follow-up actions and share the learning points with other MOF agencies.

"We are taking the necessary steps to ensure such incidents do not recur."

In response to queries from CNA, ACRA said it is studying alternative approaches, such as adding new search parameters, to the People Search function that will meet users' needs while addressing data protection concerns.

The NRIC number will continue not to be shown on the results of People Search, said a spokesperson.