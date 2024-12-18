SINGAPORE: On Dec 9, the Accounting and Corporate Regulatory Authority (ACRA) launched its new Bizfile portal featuring a search function that displayed people's names and full National Registration Identity Card (NRIC) numbers, causing a public stir due to rising rates of scams related to identity theft.

The Ministry of Digital Development and Information (MDDI) on Dec 14 announced that our NRIC numbers shouldn't be viewed as sensitive information any more than our names are – but instead of assuaging the public, this seems to have generated more anxiety.

Has there been a policy shift? In terms of the Personal Data Protection Act (PDPA) – no, as legislation has not changed. The PDPA has always been business-friendly, giving only baseline protection for personal data and encouraging data analytics – this has not changed either.

But the Personal Data Protection Commission's (PDPC) advisory guidelines do have to change in line with the announcement from MDDI.

So why is this happening now?

IDENTIFICATION VS AUTHENTICATION

At the outset, we must distinguish between identification and authentication, which are related but quite different.

To identify a person is simply to say this person is Mary and not Martha. But if there are two persons named Mary, for us to know which Mary we are referring to, we need the NRIC number to identify the person – to tell us whether it is Mary who is 50 years old, or Mary who is 20 years old. This is the identification purpose of the NRIC.

In my book on Singapore’s PDPA and Europe’s General Data Protection Regulation (GDPR) published in May 2017, I criticised the PDPA legislation for not protecting NRIC numbers and argued why they need to be protected.

One of my main concerns was the identification purposes of NRIC numbers that can be used by private entities to link with other data for nefarious purposes.

Being a common identifier, a third party can use the common identifier of NRIC number to link and determine that the Mary who went to a hospital yesterday is the same Mary who went to the bank today – because the same NRIC number appears in both sets of records. This is primarily an issue of privacy.

In 2018, Singapore’s PDPC released guidelines stating that the use and disclosure of NRIC numbers is a special concern. The arguments and concerns highlighted in the guidelines were similar to those published earlier in my book. In the same guidelines, the Commission introduced the practice of masking NRIC numbers.