SINGAPORE The Personal Data Protection Commission (PDPC) said today that tougher enforcement will take effect from January 1, 2027, warning that organisations could face financial penalties if they continue to use NRIC numbers — whether in full or in part — as passwords or authentication factors.

“Organisations that use NRIC numbers for authentication to access personal data may be found to have breached the Personal Data Protection Act (PDPA) for failing to make reasonable security arrangements to protect personal data,” the PDPC said.

Examples flagged as misuse include default passwords made up of NRIC numbers alone or combined with basic personal details such as names or birth dates.— Singapore’s privacy regulator has given private organisations until December 31 to stop relying on full NRIC numbers as a way to verify users’ identities, a move it says is necessary to cut the risk of unauthorised access to personal data, according to a report by CNA.

Government agencies have already discontinued such practices, the PDPC added, saying this shift reduces the possibility of unauthorised access to services and sensitive information. 

Sector-specific guidance has likewise been issued by the Infocomm Media Development Authority, the Monetary Authority of Singapore and the Ministry of Health.

The announcement follows warnings made in January 2025 by Josephine Teo, who urged private organisations to stop the practice “as soon as possible”. 

She noted then that companies could continue collecting partial NRIC numbers purely for identification, and said the government would update guidelines after public consultation.

The issue has been under scrutiny since public anger erupted in late 2024 when the Accounting and Corporate Regulatory Authority’s revamped Bizfile portal inadvertently made users’ full NRIC numbers visible in search results.