The truth is, while such loosening of the reins may make many uncomfortable right now, this makes sense for the digital future.
So many parties are already allowed to collect NRIC numbers. For example, real estate agents are required to check NRICs and residency passes to ensure potential tenants are not illegal immigrants, so they usually collect NRIC numbers, often with photos of physical NRICs, along with other details such as your mobile number. (If the agent is renting out the property, they would obviously know the home address.)
Telecommunications companies also have this information.
In short, NRIC numbers are too readily available and accessible.
Regarding privacy, there are now many other de facto common identifiers. Since the COVID-19 pandemic, many of us have become used to freely giving our names, home address and phone number to online retailers and delivery services, along with credit card details – these too have become common identifiers via which our privacy can be compromised.
What about identity theft?
This was one of the main concerns I raised in the first chapter of my 2017 book. But now, I would say that the train has left the station because too many parties already hold NRIC numbers.
THE ROOT CAUSE
The announcement by MDDI may come as a shock to many but it’s nothing new.
The problem for individuals now is that many organisations have been using the NRIC not just for identification purposes, but as part of authentication processes.
This should never have happened in the first place. It is really organisations’ sloppy attitudes to authenticating their clients and/or customers that is the root cause of the current problem.
To put it simply, thumbprints would be perverse tools to use to identify a person, that’s why they are primarily used for authentication. A photo of a person’s face on the other hand would be useful to identify a person but useless for authentication.
Similarly, with NRIC numbers so easily available, their proper use would be to identify, not to authenticate.
Once NRICs are not used for authentication, their use for identity theft and other crimes will be much reduced.
Do I still believe in what I wrote in 2017 that NRIC numbers should be protected? Yes – but only as long as NRICs are still being used to not just identify but to authenticate a person.
Professor Hannah Yee-Fen Lim is an associate professor in business law at Nanyang Technological University, holding double qualifications in computer science and law with Honours. She is the author of six research books, including the first research monograph on the PDPA and GDPR, and hundreds of research papers. She has been appointed legal expert to advise many international organisations, including the World Health Organization and United Nations commissions and other institutes, in areas of technology and law.
