Experts: Businesses should continue to mask NRIC numbers before new PDPA Guidelines are issued
Source: Lianhe Zaobao
Article Date: 24 Dec 2024
Author: Poh Lay Hoon
Legal experts interviewed cautioned the public not to use personal identification information, including NRIC numbers, as passwords. Businesses and organisations should also stop using NRIC numbers for verification or identity authentication and adhere to industry standards for verifying user identity.
This article was first published on 16 December 2024 in the Singapore Mandarin broadsheet, Lianhe Zaobao.
SLW obtained permission to reproduce the article to give the legal community a broader view of legal reports for various news syndicates.
Although the government no longer considers the National Registration Identity Card (NRIC) number as protected data, this does not mean that companies and organisations can throw caution to the wind. Until the Personal Data Protection Commission (PDPC) issues new advisory guidelines, the existing Personal Data Protection Act remains unchanged. Thus, businesses and organisations are still required to mask NRIC numbers.
Legal experts interviewed cautioned the public not to use personal identification information, including NRIC numbers, as passwords. Businesses and organisations should also stop using NRIC numbers for verification or identity authentication and adhere to industry standards for verifying user identity.
Yeong Zee Kin, Chief Executive of the Singapore Academy of Law (SAL), commenting in the capacity of an expert in data protection, said that with the imminent change in policy, members of the public will have to be aware that more organisations will have their NRIC numbers. Members of the public should not be lulled into a false sense of security just because the person they are speaking with has their NRIC number.
"Organisations will also have to be more vigilant about adhering to current industry standards and practices for user authentication. If they have not already, they should stop using identification information (including NRIC numbers) as a form of password."
On December 12, news broke that the Accounting and Corporate Regulatory Authority's (ACRA) BizFile portal's search function revealed full NRIC numbers, causing concern. In response, the Ministry of Digital Development and Information (MDDI) said the government plans to stop masking NRIC numbers and government agencies are gradually moving away from the practice.
PDPC: No Changes until Consultations with Industry and Public Completed
Two days later, the PDPC indicated that it would update its advisory guidelines to align with the government's new policy intent but would not make any further changes until it had completed its consultations with industry and members of the public. The Commission also reminded the public not to use their NRIC numbers as passwords and to change their passwords if they have done so.
Yeong suggests improving the design of the search functionality and screen flows of the BizFile website to protect the NRIC numbers and names better. He said, " I note that the search functionality is temporarily unavailable and I hope that they are revising the screen flows".
Eugene Tan Kheng Boon, associate professor of law at the Yong Pung How School of Law at Singapore Management University, said it was unlikely that NRIC numbers will become freely available, barring some circumstances. It would be prudent not to use one’s NRIC number as a password.
Tan said that “while [NRIC number] is a unique identifier, it is certainly not the case that only you know the number. Using one’s NRIC number as a password is never a good idea to begin with, it is never a strong password.”
In his opinion, businesses and organisations should stop using NRIC numbers for identity authentication and verification and should use more than one method of authentication.
In Singapore, the PDPA is the primary means of protecting personal information, but public sector agencies are exempt from the PDPA and instead must comply with the Public Sector (Governance) Act in the collection, use, disclosure and disposal of personal information.
Tan says that the issue is, at its heart, a non-legal one and arises because Singaporeans have been socialised into being sensitive to having their full NRIC numbers made public and they have come to accept and internalise this. He believes that individuals should still be given the choice of whether to have their NRIC number masked. “The key to data protection is to ensure the disclosure of personal information only when necessary.”
Ong Pei Ching, litigation & dispute resolution partner at TSMP Law Corporation, said the disclosure of any kind of personal information comes with the risk of identity theft or fraud.
“To reduce risks of malicious use, organisations such as banks which may significantly affect individuals’ affairs should put in place a robust authentication process, such as implementing two-factor authentication (2FA) policies.”
Ong believes that businesses should not rely on NRIC numbers as the sole means of verification and authentication even if there is a need to verify a customer’s identity to a high degree of fidelity. She said that “many businesses do not need to verify customers by NRIC numbers, or at all”, and there are other ways to verify an individual’s identity such as by asking them to “prove their identity by passwords, organisation-issued QR code, relying on biometric data or sighting physical NRICs (without necessarily retaining copies”.
Ong also reminded the public not to use their NRIC numbers as passwords. “If anyone has done so, they should change their passwords immediately.”
"Similarly, individuals should nnot use easily guessable numbers or words for their passwords, such as their birth dates or their mobile numbers.”
Source: Lianhe Zaobao © SPH Media Limited. Permission required for reproduction.
852