MDDI’s statement specifically advises against the use of NRIC numbers by individuals as passwords and the use of NRIC numbers by organisations to authenticate an individual’s identity or set default passwords, said PDPC.
The commission noted that it had previously taken action against organisations which used NRIC numbers for authentication and “breached their data protection obligations”.
It said: “A person’s name and NRIC number identifies who the person is. Authentication is about proving you are who you claim to be. This requires proof of identity, for example, through a password, a security token or biometric data.
“As the NRIC number is not a secret, it should not be used by an organisation for authentication purposes.”
The commission also advised organisations against using NRIC numbers as the default password for services provided to an individual.
“Organisations that have such practices should phase them out as soon as possible,” it added.
On the use of NRIC numbers by individuals as passwords, the commission said they should not be used as a password, just as “our names are not used as passwords”, adding that those who have done so should immediately change their password.
PDPC noted that the NRIC number is still subject to the data protection obligations in the Personal Data Protection Act, and organisations collecting such data must still obtain valid consent and comply with reasonable use and ensure protection.
In 2025, MDDI and PDPC will be carrying out public education about the purpose of the NRIC number and “how it should be used freely as a personal identifier”.
They will also aim to educate people on how they can protect themselves through the proper use of authentication and passwords.
