Private organisations must stop using NRIC numbers for authentication by Dec 31: IMDA

All private organisations will have to stop using NRIC numbers for authentication by the end of the year, said the Infocomm Media Development Authority (IMDA). 

In a press release on Monday (Feb 2), the authority said that organisations have up to Dec 31 to review their current authentication practices. 

From Jan 1, 2027, the use of NRIC numbers for authentication to access personal data may be considered a breach of the Personal Data Protection Act (PDPA). 

The Personal Data Protection Commission (PDPC) will step up enforcement action against such misuse, said IMDA. 

Possible penalties include imposing directions or financial penalties for such breaches where appropriate. 

Government agencies have ceased NRIC authentication

In June last year, the PDPC and Cyber Security Agency of Singapore (CSA) issued a joint advisory against the use of NRIC numbers for authentication purposes. 

The agencies advised against using NRIC numbers, whether in full or in part, as default passwords. 

Organisations were also urged not to combine NRIC numbers with other easily obtainable personal data such as names and birthdates for passwords to access digital documents or to allow access to an individual's account. 

According to IMDA, government agencies have already moved away from using NRIC numbers for authentication. 

IMDA, the Monetary Authority of Singapore and the Ministry of Health have also issued guidance to the telecommunications, finance and insurance, and healthcare sectors on ceasing the use of NRIC numbers for authentication. 

IMDA encourages organisations to refer to PDPC's latest advisory on good practices for protecting personal data, including NRIC numbers. 

Members of the public may report any misuse of NRIC numbers for authentication to PDPC at https://go.gov.sg/reportnric.

[[nid:712640]]

dana.leong@asiaone.com