We refer to the statement issued by MDDI yesterday outlining the appropriate use and mis-use of NRIC numbers.  This statement specifically advises against (a) the use of NRIC numbers by individuals as passwords and (b) the use of NRIC numbers by organisations to authenticate an individual’s identity or set default passwords. 

PDPC has previously taken action against organisations which have used NRIC numbers for authentication and breached their data protection obligations.  With the public attention drawn to the mis-use of NRIC numbers, we are emphasising these recommendations with added urgency.

Use of NRIC numbers by individuals as passwords

The NRIC number should not be used as a password, just as our names are not used as passwords. Anyone who has done so should immediately change their password.

Most services that require password access will also allow for the password to be changed. This is usually available on the service portal itself. If the change function cannot be found on the service portal, it is best to contact the service provider immediately for advice to change the password.

In deciding on the new password, there are well established good practices to observe. For example, passwords should be set with a minimum level of complexity (e.g. minimum 12 alphanumeric characters with a mix of uppercase, lowercase, numeric, and commonly used phrases or paraphrases.) For more details, please refer to guidelines issued by CSA [https://www.csa.gov.sg/alerts-advisories/Advisories/2022/ad-2022-008]. 

Use of NRIC numbers by organisations to authenticate an individual’s identity or set default passwords

A person’s name and NRIC number identifies who the person is. Authentication is about proving you are who you claim to be. This requires proof of identity, for example, through a password, a security token or biometric data. As the NRIC number is not a secret, it should not be used by an organisation for authentication purposes. PDPC has consistently taken organisations to task for using NRIC numbers for authentication.

The NRIC number should also not be used as the default password for services provided to an individual. Organisations that have such practices should phase them out as soon as possible.

In designing its authentication practices, organisations should refer to pages 15-16 of the guidelines issued by PDPC on the Guide to Data Protection Practices for ICT Systems. For example, there should be strong requirements for administrative accounts, such as complex passwords or 2-Factor Authentication (“2FA”)/Multi-Factor Authentication (“MFA”), as unauthorised access is one of the most common types of data breaches. 

Like any personal identifier, the NRIC number is still subject to the data protection obligations in the PDPA. Therefore, organisations collecting NRIC data must still obtain valid consent and comply with reasonable use and ensure protection.

PDPC’s advisory guidelines for NRIC and National Identification Numbers

We have received questions and feedback from the public following yesterday’s statements by MDDI on the appropriate use and mis-use of NRIC numbers. We are sorry for the confusion caused to the public and will fully address the public’s concerns and questions as soon as possible.

We recognise that the PDPC advisory guidelines for NRIC and National Identification Numbers needs to be updated to be aligned with the statement. We will not be making any further changes until we have completed our consultations with industry and members of the public. The guidelines will then be updated to align with the new policy intent.