PDPC guidelines to be updated to 'align with new policy intent', after government said it plans to stop masking NRIC numbers
PDPC added that it "not be making any further changes until we have completed our consultations with industry and members of the public".
SINGAPORE: The Personal Data Protection Commission (PDPC) advisory guidelines for National Registration Identity Card (NRIC) numbers will be updated to align with the new policy intent.
The government said on early Saturday (Dec 14) that it intends to change the practice of masking NRIC numbers, after privacy concerns were raised over the new Bizfile portal showing people's details for free in its search results.
The Ministry of Digital Development and Information (MDDI) said that the government had planned to make this change "only after explaining the issue and preparing the ground".
PDPC has received questions and feedback from the public following the statements by MDDI on the appropriate use and misuse of NRIC numbers, the commission said on Saturday evening in response to CNA's query.
"We are sorry for the confusion caused to the public and will fully address the public’s concerns and questions as soon as possible," it added.
PDPC said that it recognises that its advisory guidelines for NRIC and national identification numbers need to be updated to be aligned with MDDI's statement.
However, it will "not be making any further changes until we have completed our consultations with industry and members of the public".
"The guidelines will then be updated to align with the new policy intent," it added.
A check by CNA on Sunday morning also showed an amendment on the commission's website, saying that while the current PDPC advisory guidelines for NRIC numbers "remain valid", they will be updated in light of MDDI's statement.Â
MDDI's statement specifically advises against the use of NRIC numbers by individuals as passwords and the use of NRIC numbers by organisations to authenticate an individual’s identity or set default passwords, said PDPC.
The commission noted that it had previously taken action against organisations which used NRIC numbers for authentication and "breached their data protection obligations".
It said: "A person’s name and NRIC number identifies who the person is. Authentication is about proving you are who you claim to be. This requires proof of identity, for example, through a password, a security token or biometric data.
"As the NRIC number is not a secret, it should not be used by an organisation for authentication purposes."
The commission also advised organisations against using NRIC numbers as the default password for services provided to an individual.Â
"Organisations that have such practices should phase them out as soon as possible," it added.Â
On the use of NRIC numbers by individuals as passwords, the commission said they should not be used as a password, just as "our names are not used as passwords", adding that those who have done so should immediately change their password.
PDPC noted that the NRIC number is still subject to the data protection obligations in the Personal Data Protection Act, and organisations collecting such data must still obtain valid consent and comply with reasonable use and ensure protection.
In 2025, MDDI and PDPC will be carrying out public education about the purpose of the NRIC number and "how it should be used freely as a personal identifier".
They will also aim to educate people on how they can protect themselves through the proper use of authentication and passwords.