The Personal Data Protection Commission (“PDPC“) has announced that private organisations must cease using National Registration Identity Card (“NRIC“) numbers for authentication by 31 December 2026. The use of NRIC numbers for authentication poses heightened risks of unauthorised access, and organisations that rely on NRIC numbers to authenticate access to personal data may be found in breach of the Personal Data Protection Act for failing to put in place reasonable security measures to safeguard personal data.
From 1 January 2027, PDPC will intensify enforcement against private organisations that continue to use full or partial NRIC numbers for authentication. Enforcement actions include the issuance of directions or the imposition of financial penalties, where appropriate.
In light with this directive, private organisations are advised to review their current authentication methods and transition to more secure alternatives, as outlined in the Joint Advisory against using NRIC Numbers for Authentication issued by PDPC and the Cyber Security Agency of Singapore (“CSA“). To read more about this, please refer to our June 2025 NewsBytes article titled “PDPC and CSA Issue Joint Advisory to Organisations against Using NRIC for Authentication“.
Advisory on Common Data Protection Lapses and Recommended Measures
To assist organisations that handle personal data, including NRIC numbers, PDPC has published an advisory identifying common lapses in how organisations protect personal data and setting out recommended measures to strengthen their data protection practices.
Lapses During Data and System Migrations
Data protection risks frequently arise during data or system migration exercises, such as transitions to new customer databases or system infrastructure upgrades. These migrations typically involve multiple stages, including data field mapping, extraction from legacy systems, and configuration of access control. Errors at any stage may introduce system vulnerabilities, result in unintended disclosure of personal data, or cause information to be transmitted to incorrect recipients. To mitigate these risks, organisations must put in place appropriate measures including:
- implementing process checks to verify data mapping accuracy;
- keeping test environments offline and separate from the Internet during the development phase;
- putting in place robust end‑to‑end controls for data transfers;
- automating critical steps, where feasible, to minimise human error, while also retaining adequate oversight; and
- conducting vulnerability assessment and penetration testing (VAPT) prior to system go-live following any changes, and ensuring that no credentials or personal data remain in test environments.
Inadequate Data Breach Detection and Prevention Controls
Data breaches may still occur even when organisations have implemented standard security arrangements such as firewalls and access management systems. Attackers may bypass perimeter defences or exploit compromised user accounts to gain unauthorised access to databases containing personal data.
To address this gap, organisations should implement database-level monitoring and data loss prevention measures, where practicable. Such measures include systems capable of identifying anomalous access patterns, such as unusually large downloads or access to sensitive data outside normal business hours. Organisations should also establish clear policies and response protocols for handling security alerts as part of their data breach management plans.
Regular Review of Data Protection Policies and Practices
Organisations are strongly encouraged to conduct periodic reviews of their data protection policies and practices to identify potential data protection gaps and implement appropriate remedial measures.
Steve Tan, Deputy Head of the Technology, Media & Telecommunications Practice, was previously featured in the January 2025 Channel NewsAsia Deep Dive podcast on the use of NRIC numbers for identity authentication. To listen to this podcast titled “What are the implications of unmasking NRIC numbers?”, please click here.
Click on the following links for more information:
Available on the PDPC website at www.pdpc.gov.sg
- PDPC Press Release titled “Organisations to cease the use of NRIC numbers for authentication by 31 December 2026”
- PDPC Announcement titled “PDPC to Step up Enforcement Action Against Misuse of NRIC numbers and Issues New Advisory on Data Protection”
- Advisory on Common Data Protection Lapses and Recommended Measures
- FAQ for Organisations
- FAQ for Individuals
Rajah & Tann publication
Disclaimer
Rajah & Tann Asia is a network of member firms with local legal practices in Cambodia, Indonesia, Lao PDR, Malaysia, Myanmar, the Philippines, Singapore, Thailand and Vietnam. Our Asian network also includes our regional office in China as well as regional desks focused on Brunei, Japan and South Asia. Member firms are independently constituted and regulated in accordance with relevant local requirements.
The contents of this publication are owned by Rajah & Tann Asia together with each of its member firms and are subject to all relevant protection (including but not limited to copyright protection) under the laws of each of the countries where the member firm operates and, through international treaties, other countries. No part of this publication may be reproduced, licensed, sold, published, transmitted, modified, adapted, publicly displayed, broadcast (including storage in any medium by electronic means whether or not transiently for any purpose save as permitted herein) without the prior written permission of Rajah & Tann Asia or its respective member firms.
Please note also that whilst the information in this publication is correct to the best of our knowledge and belief at the time of writing, it is only intended to provide a general guide to the subject matter and should not be treated as legal advice or a substitute for specific professional advice for any particular course of action as such information may not suit your specific business and operational requirements. You should seek legal advice for your specific situation. In addition, the information in this publication does not create any relationship, whether legally binding or otherwise. Rajah & Tann Asia and its member firms do not accept, and fully disclaim, responsibility for any loss or damage which may result from accessing or relying on the information in this publication.
