Compliance Takeaways from the Personal Data Protection Commission – Cyber Security Agency of Singapore Joint Advisory on the use of NRIC for Authentication

The digital landscape in Singapore is constantly evolving, bringing both new opportunities and emerging risks. Your organization has a key role in safeguarding the personal data you handle. The Personal Data Protection Commission (PDPC) and the Cyber Security Agency of Singapore (CSA) have issued a Joint Advisory to highlight a significant weakness in typical practices: relying on National Registration Identity Card (NRIC) numbers for authentication. The advisory urges organisations to avoid using NRIC numbers for this purpose.

Understanding the critical distinction: Identification vs. Authentication

Many organisations treat NRIC numbers as a secure authentication factor. The advisory emphasises the importance of understanding the difference between identification and authentication.

• Identification: This is the act of establishing who a person is, for example, using an NRIC number to differentiate one individual from another for administrative purposes.
• Authentication: This is the process of proving that a person is genuinely who they claim to be, “before granting them access to services or information intended only for them.”

Why should Organisations refrain from using NRIC numbers?

NRIC numbers are meant for identification and not authentication. They are widely known, often publicly disclosed and can be easily guessed or obtained. Using NRIC numbers or parts of them as your passwords, usernames or authentication tools exposes your organisation to security risks and may violate data protection obligations under the PDPA. This directive underscores a fundamental security principle: NRIC is a unique identifier, not a secure authentication credential.

Mandatory actions for organisations: What You Must Do

All organisations and employers handling personal data must send protected documents, manage user access, or operate online systems regardless of industry or size.

The key Compliance Obligations for organizations are listed below

1. Stopping the use of full or partial NRIC numbers as passwords or default passwords: this applies to online portals, password-protected documents (e.g., emailed statements), and any system that requires a user login.
2. Avoiding combinations of NRIC numbers with other easily obtainable personal data (e.g., partial NRIC + date of birth) for authentication.
3. Do not assume that a person’s identity is verified solely based on their ability to state an NRIC number
4. Implement stronger authentication methods based on

• “Something only the person knows (e.g. strong passwords)”
• “Something only the person owns (e.g. security token, smart card)”
• “Something only the person has (e.g. fingerprint, face, iris, palm vein)”

Key Actions for Compliance teams

• Ensure that full or partial NRIC numbers are not used by the organisation as passwords or default passwords.
• Remove any authentication processes that rely on NRIC numbers alone or in combination with other easily obtainable personal data (e.g. date of birth).
• Ensure staff are trained to differentiate between Identification and Authentication.
• Implement Stronger Authentication Methods.
• Conduct an audit of all systems and workflows to identify where NRIC numbers are used for authentication.
• Provide training or access to training on secure authentication practices and data protection obligations under the PDPA.
• Continuously monitor systems for compliance with data protection and cybersecurity standards.
• Stay updated with future advisories or regulatory updates from the PDPC and CSA.

Conclusion

The move away from NRIC-based authentication is not merely a compliance exercise; it’s a fundamental shift towards building a more resilient and trustworthy digital ecosystem. By embracing robust authentication methods, organisations not only ensure compliance with applicable laws in safeguarding the personal data of individuals but also strengthen Singapore’s collective cybersecurity posture and resilience. This is an ongoing journey, and taking proactive steps now helps build a safer digital future for and your proactive commitment today ensures a more secure tomorrow for everyone.

Authored by: Anuska Chanda

Co-Authored by: Swapna Umakanth

Disclaimer

The information provided on this blog is for general informational purposes only and is not a substitute for professional legal advice. We are not a law firm and are not authorized to practice law in your jurisdiction. Laws and regulations are complex and constantly changing, and information that may be true in one jurisdiction may not apply in another. Before acting on any information you read here, you should consult with a qualified lawyer practicing in the relevant jurisdiction for your specific legal issues or concerns. While we strive to provide accurate and up-to-date information, we make no guarantees that the information on this blog is completely current or error-free. We disclaim any liability for any actions taken or not taken based on the information on this blog.