Private firms given until end-2026 to stop using NRIC numbers for authentication, PDPC says
Private organisations in Singapore have until 31 December 2026 to stop using NRIC numbers for authentication, the PDPC said, warning that enforcement action and possible penalties will be increased from 2027.
- Private organisations must phase out the use of NRIC numbers for authentication by 31 December 2026, according to the PDPC.
- Enforcement action, including possible financial penalties, will be stepped up from 1 January 2027.
- The move follows earlier advisories and sectoral guidance aimed at reducing unauthorised access risks.
SINGAPORE: Private organisations in Singapore have been given until 31 December 2026 to phase out the use of National Registration Identity Card (NRIC) numbers for authentication, the Personal Data Protection Commission (PDPC) said on 2 February 2026.
The commission said enforcement action against the misuse of NRIC numbers would be ramped up after that date, as part of efforts to reduce the risk of unauthorised access to services and personal information.
According to the PDPC, organisations that continue to rely on NRIC numbers as authentication factors beyond the deadline may be found to have breached the Personal Data Protection Act (PDPA).
The regulator said such practices could constitute a failure to make reasonable security arrangements to protect personal data, a key obligation under the PDPA.
In a statement, the PDPC said that from 1 January 2027 it would step up enforcement action against misuse, including imposing regulatory directions or financial penalties where appropriate.
The announcement builds on a joint advisory issued in June 2025 by the PDPC and the Cyber Security Agency (CSA), which clarified that NRIC numbers should not be used as an identity verification method in the private sector.
That advisory highlighted the inherent security risks of using static and widely known identifiers, such as NRIC numbers, as authentication credentials.
The PDPC reiterated that NRIC numbers are intended for identification rather than authentication, and that conflating the two increases the risk of unauthorised access.
Examples of misuse cited by the commission include using NRIC numbers, either in full or in part, as default passwords for accounts or systems.
This also covers cases where NRIC numbers are combined with other easily obtainable personal data, such as names or dates of birth, to form login credentials.
The PDPC said such practices are particularly vulnerable to guessing, phishing, or data breaches, and do not meet reasonable security standards.
Government agencies have already moved away from using NRIC numbers for authentication, the commission noted, as part of broader digital security reforms.
According to the PDPC, this shift was aimed at reducing the risk of unauthorised access to government services and sensitive information.
Several sector regulators have also issued guidance to support the transition away from NRIC-based authentication in the private sector.
The Infocomm Media Development Authority has provided guidance for telecommunications companies, while the Monetary Authority of Singapore has done so for the finance and insurance sectors.
The Ministry of Health has similarly issued guidance for healthcare providers, where personal data sensitivity and security risks are considered especially high.
These sectoral advisories reinforce the broader policy position that NRIC numbers should not function as security credentials.
In January 2026, Minister for Digital Development and Information Josephine Teo addressed the issue in a ministerial statement.
She said private sector organisations that were using NRIC numbers as authentication factors or default passwords should stop the practice as soon as possible.
Assoc Prof Teo added that organisations which collect partial NRIC numbers for identification purposes may continue to do so under existing rules.
She said the ministry would only consider updating guidelines on NRIC number usage in the private sector after consulting the public.
Bizfile data leak triggered public outcry in last December
The ministry’s advisory follows a public backlash in December 2024 after a government portal mishap exposed personal data.
On 9 December 2024, the Accounting and Corporate Regulatory Authority (Acra) launched its new Bizfile portal. The platform allowed free access to individuals’ full names and NRIC numbers through its search function.
Concerns were raised by 12 Dec 2024, prompting authorities to shut down the search function the following night.
During the January 2025 parliamentary sitting, Second Minister for Finance Indranee Rajah revealed that over 500,000 searches had been conducted between 9 and 13 December—far exceeding the normal daily volume of 2,000 to 3,000 queries.
Most of the traffic occurred on 13 December, and around 28,000 IP addresses, mainly from Singapore, were involved.
In a parliamentary session on 6 March 2025, then-Senior Minister Teo Chee Hean addressed the accountability surrounding the data leak.
He stated that officers and senior management involved in the incident would face consequences such as counselling, retraining, and reductions in performance grades and bonuses.
Teo noted that political office holders, including Josephine Teo and Indranee Rajah, had accepted responsibility and issued public apologies.
The Permanent Secretaries of the Smart Nation and Digital Government Office (now under MDDI) were responsible for executing related policies.
Chia-Tern Huey Min, chief executive of Acra, oversaw the portal’s design and implementation.
Teo clarified that the review of the incident was not a disciplinary process, and any formal disciplinary action would be handled by the respective public agencies.
