新加坡个人信息保护新规：机构索取身份证号码需征求同意

Over time, however, NRIC numbers have become increasingly used as more than an identifier. Previously, organisations would require seeing my physical NRIC card to confirm that I am who I claimed to be. However, some organisations assume that if someone can cite my NRIC number, that person must be me! This is clearly wrong.

On the assumption that this person is indeed me, some organisations may go further to give the person access to privileged information or services. When used this way, my NRIC number is no longer just an ID, or identifier, but a key to unlock more information or services. In such situations, the NRIC number is being accepted as an authenticator, or proof of who a person claims to be. This is clearly inappropriate.

Instead of the full NRIC number, some organisations collect and use a partial NRIC number, usually the last four characters of the NRIC number. They think that this is safe and that revealing only the last four characters still keeps the full NRIC number secret. Among public agencies, even when the agencies had the full NRIC numbers, the use of masked NRIC numbers became more common.

Besides organisations, some individuals also started to use their NRIC numbers as their passwords. They did so under the impression that the full NRIC number is secret.

However, as shown by Dr Tan Wu Meng in his question, there are now algorithms that can be found online, that have made it easier to work out the full NRIC number from the partial or masked NRIC number. The easy availability of such algorithms means that the continued use of partial or masked NRIC numbers gives both organisations and individuals a false sense of security. This does not really keep the full NRIC number secret. This also makes the practice of using NRIC numbers as passwords even more inappropriate.

To the questions by Dr Tan, Mr Liang Eng Hwa and Ms Sylvia Lim, these developments led the Government to take steps to stop the incorrect uses of the NRIC number. This meant two things: one, not using the NRIC number as an authenticator; and two, moving away from the use of masked NRIC numbers, because it creates a false sense of security.

We knew this transition would take time. But it was better to start while the problem is relatively contained and for the Government to take the lead.

To the question by Ms Joan Pereira, we proceeded to ask agencies to stop using the NRIC number as an authenticator or as a password. We also asked agencies not to plan new uses, with a view to discontinuing existing uses of masked NRIC numbers eventually.

The lapse in coordination between agencies led to ACRA's misunderstanding and the disclosure of full NRIC numbers in the People Search function of its new Bizfile portal.

未完待续,请点击[下一页]继续阅读