Private organisations still using NRIC numbers for authentication may face sanctions from 2027
Experts says replacing NRIC with more secure authentication is a sensible approach in this digital age
[SINGAPORE] Private organisations that have not phased out the use of NRIC numbers for authentication will risk breaching the Personal Data Protection Act (PDPA) from Jan 1, 2027.
In a statement on Monday (Feb 2), the Personal Data Protection Commission (PDPC) said that organisations that continue to use NRIC numbers for authentication to access personal data may be failing to make reasonable security arrangements to protect personal data. This would constitute a breach of the PDPA.
“From Jan 1, 2027, the PDPC will step up enforcement action against such misuse, including imposing directions or financial penalties for such breaches where appropriate,” said the commission. “Organisations may also refer to PDPC’s latest advisory on good practices for protecting personal data, including NRIC numbers.”
The PDPC and Cyber Security Agency of Singapore (CSA) in June 2025 issued a guide to stop the use of NRIC numbers for authentication in the private sector. This includes using full or partial NRIC numbers as default passwords, whether on their own or together with other easily obtainable personal data such as names and birthdates.
“Such passwords should not be used to access digital documents or to allow access to an individual’s account,” said PDPC in its Feb 2 statement.
Government agencies have already stopped using NRIC numbers for authentication.
Navigate Asia in
a new global order
Get the insights delivered to your inbox.
Meanwhile, the Infocomm Media Development Authority, Monetary Authority of Singapore and the Ministry of Health have also issued guidance to the telecommunications, finance and insurance, and healthcare sectors, on ceasing the use of NRIC numbers for authentication within their sectors.
The policy shift away from regarding NRIC numbers as sensitive information happened after NRIC numbers belonging to key representatives of companies registered under Accounting and Corporate Regulatory Authority’s (Acra) database were revealed by mistake on its new Bizfile Web portal on Dec 9, 2024.
Since then, the Government has been taking steps to ensure the proper use of NRIC numbers across the public and private sectors.
Experts said that moving away from NRIC numbers for authentication and turning to more secure methods is a sensible approach in this digital age. These more secure methods include strong passwords, security token or biometrics identification system.
Experts estimated a timeline of three to six months for larger organisations such as major banks, telcos and healthcare groups to fully setting up the infrastructure for more secure authentication methods.
Smaller organisations that rely on NRIC numbers as a form of authentication could take even longer to adapt, depending on the complexity of the changes, regulatory compliance checks and vendor capabilities, according to experts. THE STRAITS TIMES
Decoding Asia newsletter: your guide to navigating Asia in a new global order. Sign up here to get Decoding Asia newsletter. Delivered to your inbox. Free.
Copyright SPH Media. All rights reserved.
