To questions by Ms Tin Pei Ling, Mr Zhulkarnain Abdul Rahim and Assoc Prof Jamus Lim, I should emphasise that NRIC numbers are personal data. This means that organisations collecting and using NRIC numbers must continue to exercise a duty of care. Subject to applicable law, they must notify and seek consent on use, and also ensure the data is sufficiently protected. Certainly, they should not disclose the NRIC numbers unless there is good reason to do so.
Members may also ask, if the NRIC number is not suitable as an authenticator, what about the physical NRIC card, our pink identity card? If we look at our physical NRIC card, we will see that it contains other identifying information, such as our photo and fingerprint. It allows others to check that the information on the card matches me, the person holding the card. In addition, the physical NRIC card is not easily faked. The physical NRIC card is, therefore, suitable as an authenticator, or proof of who I claim to be. But someone providing my NRIC number and claiming to be me, does not have these additional factors of proof.
Organisations must know that the physical NRIC card and NRIC number are different. The physical NRIC card can be an authenticator, but the NRIC number should not be used as an authenticator. Organisations should, therefore, not accept my NRIC number alone as proof that the person citing it is indeed me.
Besides organisations, individuals, too, have questions about what they should do. There are also two things. The first is to clarify their understanding of the NRIC number. Members like Ms Sylvia Lim asked about this.
We have said that our NRIC number is like our name. Even if it is not widely disclosed, it is not secret. In our daily lives, if someone we do not recognise calls out our name and starts to behave as though they know us well, we would be slightly suspicious. We might be polite but not too friendly. Certainly, we should not fully trust this person, just because they know our name.
This should also be how we treat anyone who tells us our NRIC number. We should not automatically assume that they know us well or are figures of authority or can be trusted. We should be cautious about revealing more about ourselves, or saying yes to their requests or following their instructions without checking further.
The second thing we can do as individuals is to review our passwords. If we have used our NRIC number as a password to access any information or service, we have mistakenly used it as an authenticator and should change the password immediately. Doing so will give us better protection against people who use our NRIC number to get access to information or services. It will also complement efforts by organisations to stop using the NRIC number as a factor of authentication.
To Ms Hany Soh's question, NRIC-related scams are not new. Most NRIC-related scams involve victims who think they are speaking to figures of authority and end up taking actions that harmed themselves, such as transferring money without further checks. Very few cases have involved scammers directly using NRIC numbers to unlock access to valuables.
Several Members have also asked how to mitigate the risks when NRIC numbers are disclosed. They include Mr Zhulkarnain Abdul Rahim, Mr Edward Chia, Mr Christopher de Souza, Mr Ong Hua Han, Mr Liang Eng Hwa, Ms Jessica Tan, Mr Louis Chua, Miss Cheryl Chan, Mr Sharael Taha and Mr Yip Hon Weng.
As I have explained, the risks arise from the incorrect use of the NRIC numbers. If individuals stop using NRIC numbers as passwords and organisations stop using NRIC numbers as authenticators, this will go a long way to preventing harms from scams and identity theft. They will give us all better peace of mind to use the NRIC number whenever it is necessary, such as to get medical treatment or apply for jobs.
Sir, the Government appreciates that the incorrect uses of the NRIC number may not be well understood. Our public education efforts will raise awareness among organisations and individuals, and to guide them on what they should do. In doing so, we will focus on the points I highlighted above.
Mr Gerald Giam asked about alternatives to the current NRIC number system. In fact, the risks do not arise directly from the structure of the NRIC number. Rather, the risks arise when the NRIC number, which is meant to be a unique identifier, is incorrectly used as an authenticator or a password. Even if we were to create an alternative identifier, we would still have a problem if organisations used it as an authenticator and individuals used it as a password.
Sir, let me turn now to questions about ACRA's exemption from Personal Data Protection Act (PDPA) requirements and the Government's data protection measures. These were raised by Ms Tin Pei Ling, Ms Sylvia Lim, Mr Saktiandi Supaat and Mr Patrick Tay.
The Government has always taken seriously its responsibility to protect the data entrusted to the public sector. The Government's personal data protection standards are set collectively by the Public Sector (Governance) Act, or PSGA, and our own internal rules.
The PSGA is aligned with the PDPA and adapted to the Public Service context. Our internal rules are comprehensive and take reference from international and industry standards. We also continually strengthen our data governance practices.
ACRA is expected to comply with these rules and the PSGA, which are no less stringent than PDPA requirements. Regular, mandatory audits are conducted to ensure that public agencies, including ACRA, comply with the standards for data protection and the security of information and communications technology systems. The number of data incidents and their severity is published annually.
In the most recent whole-of-Government audit exercise on information technology-related data security controls, there were very few significant findings and all of them had been remediated by the agencies concerned. There has also been a reduction in data incidents of medium severity and above. Where necessary, we have also taken public servants to task, for example, in serious cases involving unauthorised disclosure or improper use of information.
Members can be reassured that we take these rules and controls very seriously. We will continue to regularly review the safeguards to ensure that they remain relevant.
