Jasmin Lau: Government agencies move away from partial NRIC numbers
Singapore government agencies are moving away from partial NRIC numbers, using full numbers only when accurate identification is required, as part of broader efforts to prevent misuse and strengthen personal data protection.
- Government agencies are phasing out the use of partial NRIC numbers for identification.
- Full NRIC numbers are used only where accurate identification is required, such as official documents.
- Private organisations risk breaching the Personal Data Protection Act from 1 January 2027 if NRIC numbers are misused.
SINGAPORE: Government agencies are moving away from the use of partial NRIC numbers to identify individuals, Minister of State for Digital Development and Information Jasmin Lau told Parliament on 3 February 2026.
She said the shift is part of broader government efforts to improve the way NRIC numbers are used and to strengthen personal data protection across public and private sector transactions.
Lau was responding to a parliamentary question filed by Pasir Ris–Punggol GRC Member of Parliament Sharael Taha, who asked about progress made to ensure the appropriate use of citizens’ NRIC numbers.
According to Lau, government agencies are changing their practices in two key ways. The first is to stop the misuse of NRIC numbers as authentication credentials.
She stressed that NRIC numbers should not be treated like passwords, as they may already be known to others and are not designed to function as security secrets.
Lau said government agencies had stopped using NRIC numbers for authentication more than a year ago. Efforts are now under way to work with private organisations to do the same.
She added that the Personal Data Protection Commission (PDPC) and the Cyber Security Agency have issued guidance to private organisations on proper NRIC use.
Sectoral agencies such as the Infocomm Media Development Authority, the Monetary Authority of Singapore and the Ministry of Health are also working with industries including telecommunications, finance, insurance and healthcare.
While organisations will be given adequate time to adjust their practices, Lau warned that those which “flagrantly misuse” NRIC numbers could face penalties under the Personal Data Protection Act.
The second area of reform involves moving away from the use of partial NRIC numbers for identification, starting with the public sector.
Lau explained that partial NRIC numbers, such as the last four characters, are not reliable identifiers because multiple individuals can share the same partial numbers.
In some cases, individuals may even share both the same name and the same partial NRIC number, increasing the risk of misidentification.
As a result, most government agencies have stopped using NRIC numbers entirely where there is no need to accurately identify a person.
Where accurate identification is required, agencies are starting to use the full NRIC number instead. Examples include official documents such as licences and government-issued employment letters.
For the private sector, Lau said existing rules on the use of partial NRIC numbers remain in place for now. Any changes to guidelines will be considered only after public consultation.
She said the government would seek to balance the protection of personal data with legitimate business and operational needs.
Separately, the PDPC said on 2 February that private organisations which have not phased out the use of NRIC numbers for authentication risk breaching the Personal Data Protection Act from 1 January 2027.
Government agencies had stopped this practice a year earlier. The PDPC said it would step up enforcement, including issuing directions or imposing financial penalties where appropriate.
The Ministry of Health has also issued guidance to healthcare providers, highlighting heightened sensitivity and security risks in handling personal data.
These sectoral advisories reinforce the policy position that NRIC numbers should not function as security credentials.
Bizfile data leak triggered public outcry in December 2024
The issue of NRIC usage gained public attention following a data leak linked to the Accounting and Corporate Regulatory Authority’s Bizfile portal in December 2024.
On 9 December 2024, the Accounting and Corporate Regulatory Authority (Acra) launched its new Bizfile portal. The platform allowed free access to individuals’ full names and NRIC numbers through its search function.
Concerns were raised by 12 Dec 2024, prompting authorities to shut down the search function the following night.
During the January 2025 parliamentary sitting, Second Minister for Finance Indranee Rajah revealed that over 500,000 searches had been conducted between 9 and 13 December—far exceeding the normal daily volume of 2,000 to 3,000 queries.
Most of the traffic occurred on 13 December, and around 28,000 IP addresses, mainly from Singapore, were involved.
In a parliamentary session on 6 March 2025, then-Senior Minister Teo Chee Hean addressed the accountability surrounding the data leak.
He stated that officers and senior management involved in the incident would face consequences such as counselling, retraining, and reductions in performance grades and bonuses.
Teo noted that political office holders, including Josephine Teo and Indranee Rajah, had accepted responsibility and issued public apologies.
The Permanent Secretaries of the Smart Nation and Digital Government Office (now under MDDI) were responsible for executing related policies.
Chia-Tern Huey Min, chief executive of Acra, oversaw the portal’s design and implementation.
Teo clarified that the review of the incident was not a disciplinary process, and any formal disciplinary action would be handled by the respective public agencies.
