The Singapore government’s current position on the treatment of NRIC numbers has come under intense scrutiny by the public, particularly in light of the Ministry of Digital Development and Information’s (MDDI) defence of ACRA’s Bizfile platform, which made individuals’ full NRIC numbers publicly accessible.
MDDI described NRIC numbers as “just identifiers” that should not be treated as sensitive.
This stance appears to conflict not only with the Personal Data Protection Act (PDPA) as it currently stands but also with earlier enforcement actions, such as the penalty imposed on the Singapore Taekwondo Federation (STF) in 2018 for exposing students’ NRIC data.
The Singapore Taekwondo Federation case: A strict standard on NRIC security
In 2018, the Personal Data Protection Commission (PDPC), operating under MDDI, penalised STF for the unauthorised disclosure of NRIC numbers.
STF had uploaded PDFs listing the names and schools of students participating in a championship.
Although the NRIC numbers were “minimised” and not immediately visible, they could be extracted by copying the PDF contents into another document. This oversight led to the exposure of the NRIC numbers of 782 students, most of whom were minors.
In its ruling, the PDPC emphasised that NRIC numbers are of a uniquely sensitive nature, stating: “Given the risks and potential impact of any unauthorised use or disclosure of personal data associated with the individual’s NRIC number, organisations are expected to provide a greater level of security to protect NRIC numbers…”
STF was found to have contravened the PDPA’s requirements for reasonable security measures and was fined S$30,000. The federation was also directed to appoint a Data Protection Officer (DPO) and implement policies to meet its PDPA obligations.
Contrasting MDDI’s stance on ACRA
Fast forward to 2024, and the government’s position appears to have shifted significantly. Following the public outcry over ACRA’s Bizfile platform exposing full NRIC numbers, MDDI stated: “As a unique identifier, the NRIC number is assumed to be known, just as our real names are known.
“There should therefore not be any sensitivity in having one’s full NRIC number made public, in the same way that we routinely share and reveal our full names to others.”
This explanation is perplexing, given the PDPC’s earlier enforcement actions, which treated NRIC numbers as highly sensitive.
The 2018 Advisory Guidelines on NRIC numbers—since removed for updates—explicitly required organisations to take heightened precautions, acknowledging the risks of identity theft, fraud, and harassment.
Risks of NRIC exposure remain unresolved
The real-world consequences of NRIC misuse are far from hypothetical. In 2019, former presidential candidate Tan Kin Lian became a target of harassment when someone used his publicly shared NRIC number to repeatedly attempt logins on his SingPass account, locking him out.
Seniors and vulnerable individuals have also been targeted by scammers impersonating authorities, citing their NRIC numbers to gain trust. These examples illustrate the persistent dangers associated with NRIC exposure.
In the STF case, the PDPC noted that minors’ NRIC numbers were particularly sensitive, imposing substantial financial penalties and additional responsibilities on the federation.
By contrast, MDDI’s defence of ACRA suggests a diminished emphasis on the risks of unauthorised use and exposure of NRIC numbers, potentially leaving citizens more vulnerable.
ACRA acts on unapproved policies, bypassing Parliament
Furthermore, MDDI’s stance on NRIC numbers appears to be more of an intention rather than an officially formalised policy.
No amendments have been made to the PDPA to reflect this new position, nor have such changes been debated in Parliament. Yet, this “intention” has been used to justify ACRA’s premature decision to expose full NRIC numbers through its Bizfile platform, despite the associated risks to individuals.
This raises serious questions about accountability. If the PDPA and its guidelines continue to treat NRIC numbers as sensitive, how can MDDI justify ACRA’s actions based on a future policy direction that has not been formalised?
While ACRA has removed the search function in light of the public outcry, it is clear that this would not have been done without Bertha Henson raising the issue in her Facebook post on Thursday.
Moreover, why was there no coordinated public consultation or education prior to ACRA’s implementation?
The resulting confusion and public anxiety highlight the need for clearer, more consistent communication and policy execution.
Contrasting ACRA’s exemption
While STF was penalised under the PDPA for exposing NRIC numbers, ACRA is exempt from this law.
As a statutory board, ACRA is not subject to the same legal obligations that govern private organisations or non-profits under the PDPA.
This means that despite ACRA’s Bizfile platform exposing full NRIC numbers of an unknown number of individuals since its launch on 9 December, it is not liable for penalties or enforcement actions by the PDPC.
This exemption highlights a significant gap in accountability.
While private organisations like STF face heavy fines and strict enforcement for mishandling NRIC data, statutory boards like ACRA can bypass these regulations entirely.
Yet, ACRA’s actions create the same risks to individuals’ privacy and security. This double standard undermines public trust in the government’s data protection framework and raises urgent questions about fairness, transparency, and the consistent application of laws.
If statutory boards are allowed to operate outside the regulations meant to safeguard personal data, how can the public have confidence that their sensitive information is being adequately protected?
Addressing these exemptions is critical to ensuring that all entities handling personal data are held to the same standards, especially when public trust and privacy are at stake.