The NRIC number of an individual is considered personal data as it can be used to identify the individual, and can be used to access large amounts of information relating to the individual, such as the individuals’ name, address, contact numbers, income information and health information. Organisations should thus avoid the use of NRIC numbers as user names or unique identifiers in their applications, websites or public-facing systems. This guide aims to provide organisations with some tips for the replacement of national identification numbers as a way of identifying individuals, in their websites and other public-facing computer systems.

Please refer to the full document here.

Updated as of 14 Dec 2024: In light of the MDDI statement on 13 Dec 2024 outlining the appropriate use and mis-use of NRIC numbers, these Advisory Guidelines will be updated. In the meantime, these guidelines remain valid. The PDPC advises against the use of NRIC numbers by individuals as passwords and the use of NRIC numbers by organisations to authenticate an individual’s identity or set default passwords. For more information, please refer to PDPC’s statement of 14 Dec 2024.