SINGAPORE: In a significant move, the Personal Data Protection Commission (PDPC) is set to update its advisory guidelines regarding the use of National Registration Identity Card (NRIC) numbers to better reflect the government's new policy direction. This decision comes after the government announced plans to discontinue the practice of masking NRIC numbers, following rising public concerns about privacy.

The Ministry of Digital Development and Information (MDDI) revealed on Saturday, December 14, that it intended to implement this change as part of a broader effort to address issues surrounding personal data protection. The MDDI indicated that it was committed to first explaining the ramifications of this decision to the public, ensuring that citizens were fully informed.

In the wake of this announcement, the PDPC received numerous inquiries and feedback from the public related to the appropriate usage of NRIC numbers, prompting a more thorough examination of their guidelines. The PDPC expressed regret for the confusion generated by the government’s statements and assured the public that their concerns would be addressed promptly.

"To meet the new policy intent from the MDDI, we acknowledge that it is necessary to revise our advisory guidelines concerning NRIC and other national identification numbers," the PDPC confirmed. However, officials underscored that no changes will be made until consultations are completed with industry stakeholders and the general public.

A review of the PDPC’s website on Sunday revealed a note stating that the current guidelines for NRIC numbers would remain in effect, but updates are forthcoming in light of the MDDI's new direction.

The MDDI has specifically cautioned against using NRIC numbers as passwords, and has discouraged organizations from leveraging NRIC numbers for authenticating users' identities or as default passwords. The PDPC previously took action against entities that relied on NRIC numbers for authentication in violation of data protection laws.

"An individual’s name and NRIC number are key identifiers. While authentication requires verification of identity, it should not rely solely on information that isn't confidential. Instead, organizations should use secure alternatives like passwords, security tokens, or biometric data," the PDPC stated.

The PDPC further advised organizations to eliminate any practices that involve using NRIC numbers as default passwords, urging them to transition away from these methods urgently. They stressed that individuals should refrain from using their NRIC numbers as passwords, similar to how one would not use their name for the same purpose.

Importantly, the NRIC number remains safeguarded under Singapore's Personal Data Protection Act. Organizations collecting such data must gain explicit consent, practice reasonable use, and implement robust protection measures.

Looking to the future, the MDDI and PDPC will collaborate in 2025 to launch a public awareness campaign aimed at clarifying the purpose and correct uses of the NRIC number. This initiative seeks to empower citizens with knowledge on protecting themselves through proper authentication practices and password management.

As conversations about data privacy continue to evolve, the updates to the NRIC guidelines could have far-reaching implications, reinforcing Singapore's commitment to protecting personal data while navigating modern digital challenges. Stay tuned as we keep you informed on more developments in this crucial area!