SINGAPORE: Private organisations have until the end of 2026 to phase out the use of NRIC numbers for authentication, the Personal Data Protection Commission (PDPC) announced on Monday (Feb 2).

Authentication refers to the process of proving that a person is who they claim to be, before granting them access to services or information intended only for them. This differs from identification, where identifiers such as names are used to distinguish people.

The latest announcement came as the authorities move to reduce the risk of unauthorised access to services and information.

Here is what you need to know about the NRIC authentication ban:

How did the ban come about?

In 2024, the Accounting and Corporate Regulatory Authority (ACRA) launched the then new Bizfile portal, sparking public backlash after it was found that people's full NRIC numbers and names could be obtained via the portal for free.

Under ACRA's previous system, users could search for people who were office holders or business owners in Singapore, with their names, as well as masked NRIC numbers, turning up in search results.

Users could then pay for the complete set of information about an individual, which would have included his or her full NRIC number as well as an address.

Following the backlash, the PDPC and Cyber Security Agency (CSA) issued a joint advisory last year to private sector organisations clarifying that NRIC numbers should not be misused for authentication.

Government agencies have already moved away from using NRIC numbers for authentication, said the PDPC on Monday.

What would be considered an improper use of an NRIC number for authentication?

According to PDPC's website, organisations are generally not allowed to collect, use or disclose an individual's NRIC number, unless it is required by law or if it is necessary to identify a customer to a high degree of accuracy.

Organisations should also not use NRIC numbers, whether full or partial, as any factor of authentication.

Examples of misuse for authentication include using NRIC numbers – in full or part – as default passwords. This includes cases where the passwords are NRIC numbers on their own or together with other easily obtainable personal data, such as names and birthdates.

This is because NRICs are "issued to uniquely identify a person and must be assumed to have been disclosed to at least a few other persons, which reduces their effectiveness as a factor of authentication", said PDPC on its website.

"When passwords are used to authenticate a person, strong passwords that are not easily guessed should be used. Passwords containing information that can be obtained easily, including personal data such as names, NRIC numbers or birthdates, are not strong passwords."

What organisations are affected by the move?

Any organisation that needs to collect or use NRIC numbers to identify a customer to a high degree of fidelity will be affected by the move.

Examples include organisations that deal with transactions typically relating to healthcare, financial or real estate matters, such as medical check-ups and reports, background credit checks with a credit bureau, and property transactions.

Other organisations include insurance companies, vehicle rental companies, utility service providers and retailers, telecoms providers and veterinary clinics.

The Ministry of Digital Development and Information (MDDI) said on Tuesday that the Infocomm Media Development Authority, Monetary Authority of Singapore and the Ministry of Health have issued guidance to the telecommunications, finance and insurance, and healthcare sectors on ceasing the use of NRIC numbers for authentication within their sectors.