ARTICLE
31 July 2025

Compliance Takeaways From The Personal Data Protection Commission – Cyber Security Agency Of Singapore Joint Advisory On The Use Of NRIC For Authentication

L
Lexplosion Solutions Private Limited

Contributor

Lexplosion Solutions is a leading Legal-Tech company providing legal risk management solutions in areas of compliance management, audits, contract lifecycle management, litigation management and corporate governance. Lexplosion merges disruptive technology with legal domain expertise to create solutions that have increase efficiency and reduce costs.
The digital landscape in Singapore is constantly evolving, bringing both new opportunities and emerging risks. Your organization has a key role in safeguarding the personal data you handle.
Singapore Privacy

The digital landscape in Singapore is constantly evolving, bringing both new opportunities and emerging risks. Your organization has a key role in safeguarding the personal data you handle. The Personal Data Protection Commission (PDPC) and the Cyber Security Agency of Singapore (CSA) have issued a Joint Advisory to highlight a significant weakness in typical practices: relying on National Registration Identity Card (NRIC) numbers for authentication. The advisory urges organisations to avoid using NRIC numbers for this purpose.

Understanding the critical distinction: Identification vs. Authentication

Many organisations treat NRIC numbers as a secure authentication factor. The advisory emphasises the importance of understanding the difference between identification and authentication.

  • Identification: This is the act of establishing who a person is, for example, using an NRIC number to differentiate one individual from another for administrative purposes.
  • Authentication: This is the process of proving that a person is genuinely who they claim to be, "before granting them access to services or information intended only for them."

Why should Organisations refrain from using NRIC numbers?

NRIC numbers are meant for identification and not authentication. They are widely known, often publicly disclosed and can be easily guessed or obtained. Using NRIC numbers or parts of them as your passwords, usernames or authentication tools exposes your organisation to security risks and may violate data protection obligations under the PDPA. This directive underscores a fundamental security principle: NRIC is a unique identifier, not a secure authentication credential.

Mandatory actions for organisations: What You Must Do

All organisations and employers handling personal data must send protected documents, manage user access, or operate online systems regardless of industry or size.

The key Compliance Obligations for organizations are listed below

  1. Stopping the use of full or partial NRIC numbers as passwords or default passwords: this applies to online portals, password-protected documents (e.g., emailed statements), and any system that requires a user login.

Avoiding combinations of NRIC numbers with other easily obtainable personal data (e.g., partial NRIC + date of birth) for authentication.

Do not assume that a person's identity is verified solely based on their ability to state an NRIC number

Implement stronger authentication methods based on

"Something only the person knows (e.g. strong passwords)"

"Something only the person owns (e.g. security token, smart card)"

"Something only the person has (e.g. fingerprint, face, iris, palm vein)"

Key Actions for Compliance teams

  • Ensure that full or partial NRIC numbers are not used by the organisation as passwords or default passwords.
  • Remove any authentication processes that rely on NRIC numbers alone or in combination with other easily obtainable personal data (e.g. date of birth).
  • Ensure staff are trained to differentiate between Identification and Authentication.
  • Implement Stronger Authentication Methods.
  • Conduct an audit of all systems and workflows to identify where NRIC numbers are used for authentication.
  • Provide training or access to training on secure authentication practices and data protection obligations under the PDPA.
  • Continuously monitor systems for compliance with data protection and cybersecurity standards.
  • Stay updated with future advisories or regulatory updates from the PDPC and CSA.

Conclusion The move away from NRIC-based authentication is not merely a compliance exercise; it's a fundamental shift towards building a more resilient and trustworthy digital ecosystem. By embracing robust authentication methods, organisations not only ensure compliance with applicable laws in safeguarding the personal data of individuals but also strengthen Singapore's collective cybersecurity posture and resilience. This is an ongoing journey, and taking proactive steps now helps build a safer digital future for and your proactive commitment today ensures a more secure tomorrow for everyone.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More