Government review finds no wilful wrongdoing in Acra’s NRIC disclosure, but identifies six ‘shortcomings’
Action will be taken against the officers and leaders involved, including reviewing performance assessments
A GOVERNMENT review has found no “deliberate wrongdoing” or “wilful inaction” behind the disclosure of full NRIC numbers on the Accounting and Corporate Regulatory Authority’s (Acra) Bizfile portal on Dec 9 last year.
Rather, it was caused by a “confluence of several shortcomings”, including an avoidable miscommunication between Acra and the Ministry of Digital Development and Information (MDDI), said head of civil service Leo Yip.
Yip, who headed the review panel, gave the findings in a letter to Senior Minister and Coordinating Minister for National Security Teo Chee Hean.
The letter was one of three official correspondences made available to the media, along with a detailed report of the findings, on Monday (Mar 3).
In turn, SM Teo wrote to Prime Minister Lawrence Wong, flagging six shortcomings identified in the report that provide important lessons for the public service.
He sought PM Wong’s permission to publicly release the report and for it to be deliberated in Parliament, which the prime minister approved in the third letter.
BT in your inbox
Start and end each day with the latest news stories and analyses delivered straight to your inbox.
Six shortcomings
The first shortcoming, said the report, was that MDDI could have been “clearer in its policy communication” in a Jul 5 circular to public agencies on the usage of NRIC, or National Registration Identity Card, numbers.
For instance, the circular stated that agencies were to “immediately cease any planned use of masked NRIC numbers” in new processes or digital products.
Acra thought this applied to the Bizfile portal’s people search function, as it considered the updated portal to be a new digital product.
But MDDI considered this function an existing rather than new use, as partial NRIC numbers were already utilised in an older version of the portal.
This thus meant that Acra would not have to stop the use of masked NRIC numbers immediately.
The panel noted that while both MDDI and Acra had exchanged multiple emails, neither side had “engaged each other in depth on the crux of the misunderstandings”.
The second shortcoming was that Acra officers who attended a Jul 16 meeting on the circular did not share the clarifications from the briefing – nor a “frequently asked questions” document – with the project leads for the new Bizfile portal and Acra’s senior leadership.
This meant that the project leads and leadership would not have the “context of critical explanations” on how to apply the requirements in the circular.
The third shortcoming was that MDDI should have paid more attention to the implementation plan for more complex new-use cases of partial NRIC numbers, such as public registries.
The fourth was Acra’s decision to disclose full NRIC numbers in its people search function without a proper risk assessment, which contravened internal government rules on data management.
The fifth shortcoming was that certain security features for the Bizfile people search function were not adequately implemented.
Finally, incident management could have been better after public concerns on the new Bizfile portal surfaced on Dec 12.
MDDI as well as the Ministry of Finance and Acra said they accepted the findings and apologised for the public anxiety caused.
The agencies said they will take immediate steps to address the shortcomings and prevent similar incidents, by improving communications, strengthening staff training, and reinforcing the importance of data security.
Action will also be taken against the officers and leaders involved, including reviewing performance assessments – with financial consequences – as well as counselling and additional training.
MDDI said it will share more details on its plans for public education on NRIC misuse soon.
Copyright SPH Media. All rights reserved.
