Organisations to cease the use of NRIC numbers for authentication by 31 December 2026

02 Feb 2026

Private organisations will have until 31 December 2026 to phase out the use of NRIC numbers for authentication. From 1 January 2027, the Personal Data Protection Commission (PDPC) will step up enforcement action against private organisations that use full or partial NRIC numbers for authentication.

Moving away from the use of NRIC numbers for authentication

In June 2025, the PDPC and CSA issued a joint advisory to clarify that NRIC numbers should not be misused for authentication1. Common examples of misuse include using NRIC numbers (whether in full or part) as default passwords, whether on their own or together with other easily obtainable personal data such as names and birthdates (e.g. "567A01Jan80"). Such passwords should not be used to access digital documents or to allow access to an individual’s account. Government agencies have already moved away from using NRIC numbers for authentication, to reduce the risk of unauthorised access to services and information.

The Infocomm Media Development Authority (IMDA), Monetary Authority of Singapore (MAS) and the Ministry of Health (MOH) have also issued guidance to the telecommunications, finance and insurance, and healthcare sectors, on ceasing the use of NRIC numbers for authentication within their sectors. 

Enforcement against misuse to step up from 1 January 2027

All private organisations should review their current practices and phase out the use of NRIC numbers for authentication by 31 December 2026. Organisations that use NRIC numbers for authentication to access personal data may be found to have breached the Personal Data Protection Act (PDPA) for failing to make reasonable security arrangements to protect personal data. From 1 January 2027, the PDPC will step up enforcement action against such misuse, including imposing directions or financial penalties for such breaches where appropriate. Organisations may also refer to PDPC’s latest advisory on good practices for protecting personal data, including NRIC numbers.

Members of public may report any misuse of NRIC numbers for authentication to PDPC here: https://go.gov.sg/reportnric.

 

[1] Authentication refers to the process of proving that a person is who he claims to be, before granting him access to services or information intended only for him. This differs from identification, where identifiers such as names are used to tell people apart. For more information please refer to PDPC and CSA’s joint advisory on authentication.

Tags:

Related References

Advisory guidelines and guides as reference materials on the PDPA requirements and good practices to adopt

Related Help & Tools

Help and tools that organisations may use to identify and/or address existing data protection gaps