WHAT NEEDS TO CHANGE
Since current practices made Singaporeans vulnerable, Mrs Teo said there was a need to change the status quo – to move away from using NRIC numbers as authenticators.
Masked NRIC numbers would also be discontinued, with other identifiers used instead of full or partial numbers.
“We knew this had to be done over a period of time, and that a major effort would be needed to help Singaporeans understand the risks,” she said.
The government started by telling its agencies to stop using NRIC numbers as passwords or to prove that people are who they claim to be. It also stopped using masked NRIC numbers for new services, and planned to do the same with existing services when they are updated.
Mrs Teo said the Personal Data Protection Commission’s (PDPC) guidelines will be updated to put a stop to the wrong uses of NRIC numbers and to reassure organisations that have “legitimate reasons” to use NRIC numbers.
Most organisations and people can carry on with what they are doing, and continue to exercise care in handling NRIC numbers.
“For organisations that are not using NRIC numbers, whether full or partial, as password or authenticator, nothing has changed,” she said. “But if they are, then they should stop these practices as soon as practicable.”
Using NRIC numbers as passwords or authenticators is not a secure way to handle customer interactions, and that has to stop, she said.
