The move seeks to better protect citizens as it prevents impersonation and easy access to personal data or records
[SINGAPORE] The Personal Data Protection Commission (PDPC) and Cyber Security Agency (CSA) urged private organisations to stop using national registration identity card (NRIC) numbers for authentication in a joint advisory posted on their websites on Thursday (Jun 26).
This comes on the back of government efforts, since January, to ensure the proper use of NRIC numbers in the private sector to better protect citizens, the Ministry of Digital Development and Information (MDDI) said in a statement on the same day.
“NRIC numbers should not be used to prove that a person is who he claims to be for the purposes of trying to gain access to services or information meant only for that person,” the MDDI statement said.
“It is unsafe for organisations to use NRIC numbers in this manner because a person’s NRIC number may be known to others, permitting anyone who knows his NRIC number to impersonate him and easily access his personal data or records,” the MDDI statement added.
The ministry noted that some private sector organisations currently require individuals to use their NRICs as passwords to access information intended solely for them, such as insurance documents.
Organisations that use full or partial NRIC numbers for authentication should transition away from this practice as soon as possible, it said.
This includes not setting NRIC numbers as default passwords and not using full or partial NRIC numbers with other easily obtainable personal data.
“If it is necessary to authenticate a person, organisations should consider alternative methods, for example requiring the person to use strong passwords, security token or fingerprint identification,” the MDDI statement said.
Copyright SPH Media. All rights reserved.
