Misunderstanding of internal govt circular led to unmasking of NRIC numbers on Bizfile: Acra

A misunderstanding of an internal government circular and lack of coordination between government staff had led to the disclosure of full NRIC numbers on a new business portal, said the chief executive of the Accounting and Corporate Regulatory Authority (Acra).

The Ministry of Digital Development and Information (MDDI) had in July issued a circular to government agencies telling them to stop using masked NRIC numbers in new business processes and services as part of a broader policy shift to gradually move away from using NRIC numbers as a method of authentication.

At a press conference on Dec 19, Acra chief executive Chia-Tern Huey Min said staff from her agency had “interpreted the requirements to cease the use of masked NRIC numbers as needing to unmask the numbers in our new Bizfile portal”.

“Acra sought to clarify with MDDI what were the scope and implementation timeline of this new requirement. But communications between the two agencies were not sufficiently clear, leading to Acra’s mistaken thinking,” said Mrs Chia-Tern.

Acra rolled out its new Bizfile portal on Dec 9. It allowed the public to access full NRIC numbers via a search for free, sparking concerns about data privacy.

Mrs Chia-Tern apologised for the lapse, which she said had caused anxiety and confusion among the public.

“As the owner of the Bizfile portal, Acra should have been more mindful that many Singaporeans have long treated their NRIC numbers as private and confidential information, and would not want to have their full NRIC numbers searchable on the new portal,” she said.

“We should also have taken more deliberate care to ensure that such information, deemed sensitive by many, is provided only when needed. Acra will learn from this lesson and tighten our systems and processes,” she added.

Minister for Digital Development and Information Josephine Teo said the miscommunication took place despite attempts to coordinate and seek clarification. “We are very sorry,” she added.

Acknowledging the confusion caused by the Government’s statement that it is moving away from masked NRIC numbers, she clarified multiple times during the two-hour press conference that this new approach does not mean automatically unmasking and using a person’s full NRIC number in all circumstances.

The Government is not asking for all NRIC numbers to suddenly be revealed, Mrs Teo said.

She noted that the Government uses full NRIC numbers to facilitate services such as disbursements of grants and subsidies to different individuals with the same name, for example.

The private sector will be consulted to get feedback on what scenarios may require the use of unmasked NRIC numbers, among other issues, Mrs Teo added.

Second Minister for Finance Indranee Rajah said the Government is reviewing the incident to identify areas where communication and coordination between agencies can be improved.

“It is still premature at this stage to say if anything is going to happen to particular staff in question... This is an instance of a misunderstanding. One has to ascertain exactly how that came about, and have a look at the full facts before deciding on what, if anything, needs to be done,” she said.

Mrs Chia-Tern also explained Acra’s role as the national business registry, which has to maintain transparency in Singapore’s business environment.

To do so, it has to establish and administer a repository of information relating to business entities and the people behind the entities, and provide access to this information.

The Bizfile portal allows the public to search for the name and unique entity number of companies, as well as company directors and shareholders.

This information enables companies or individuals to carry out checks before they decide to do business with another party.

For example, a company considering appointing an individual as a board director can check the Bizfile portal for the individual’s associations with other companies.

“This helps the company in a few ways – it can reveal potential conflicts of interest, past bankruptcies involving the individual, the performance of companies the individual is associated with, and whether the individual is holding an excessive number of directorships,” said Mrs Chia-Tern. “These insights are crucial for the company to obtain but may not be appropriate to inquire directly from the individual.”

Mrs Teo also said that despite Acra’s exemption from Personal Data Protection Act (PDPA) requirements, the Government has always taken seriously its responsibility to protect the data entrusted to the public sector and will continue to strengthen its data governance practices. 

“To be clear, the Government’s personal data protection standards, set collectively by the Public Sector Governance Act and our own internal rules, are aligned with the PDPA and adapted to the public service context. So, it is not as though within the Government, there are no rules,” said Mrs Teo, adding that such internal rules existed even before the PDPA came into force. 

She added: “Acra, like other public agencies, is expected to comply with these rules and the Public Sector Governance Act, which are no less stringent than the PDPA requirements, and often more stringent.” 

Source: Straits Times © SPH Media Limited. Permission required for reproduction.

What the move away from masked NRIC numbers means for Singaporeans: askST Acra to restore Bizfile search function, restrict access to full NRIC numbers to paying users