SINGAPORE: She loves me. She loves me not. She loves me. She loves me not.
Our beloved National Registration Identity Card (NRIC) must have recently felt like a teenager entering a sea of raging hormones and feeling overwhelmed.
Upon receiving an internal circular signalling a broader policy shift to gradually move away from using NRIC numbers as a method of authentication, the Accounting and Corporate Regulatory Authority (ACRA) misunderstood it as a green light to unmask the numbers in the roll-out of its new Bizfile portal.
Once netizens discovered that the Bizfile portal’s people search function was turning up NRIC numbers as well, a furore ensued. ACRA has since withdrawn that feature and apologised for the confusion.
The NRIC was introduced in a time when modes of identity verification were primarily physical. It was used to ascertain individuals’ identities for all types of actions and transactions - entry into buildings, opening and operating bank accounts, registration for government services.
For many, it was associated with the ability to access or exercise one’s rights and privileges living in Singapore. However, its use quickly expanded over time to extend to other less formal purposes - announcing the winners of lucky draw prizes, for instance, and even as security for the renting of leisure bicycles, leading to worries that the NRIC had been “cheapened”.
This (and similar) practices were legislated away with the introduction of the Personal Data Protection Act, which by its guidelines restricted the use of NRICs and mandated the masking of NRIC numbers where their use was needed or involved. The love had returned.
Today, it has evolved into a multi-purpose identifier used across government agencies, private businesses, and digital platforms. Its ubiquitous use has made it indispensable - but this convergence has also made it a possible single point of failure.
In the recent Bizfile portal fuss, there was a moment where it felt as if the NRIC was going to be abandoned - damaged beyond repair. However, assurances and explanations by the government suggest that it still has a role to play, albeit a different one than previously assumed.
ACRA's mishap highlights the vulnerabilities of such centralised systems. If compromised, the fallout affects not just personal privacy but also national security and public trust.
This incident also reignited a critical conversation about the role and security of the NRIC in Singapore.
For decades, the NRIC has been a cornerstone of identity management, but in an era of rising cybersecurity threats and digital transformation, it is time to reconsider its function and safeguard its relevance.
Singapore’s Smart Nation vision emphasises resilience and adaptability in an increasingly technologically advanced world. A logical next step is transitioning from a centralised identity model to a decentralised, blockchain-based framework.
Decentralised identity (DID) systems allow individuals to retain control of their personal data while granting selective access to third parties.
Imagine all your personal information collected in one place, much like a physical wallet or purse which contains your credit cards, bank cards, library card, name card, membership cards, discount cards and a smattering of cash. Continuing to use NRICs for all authentication processes is a bit like handing over the entire wallet to pay for an ice cream, rather than just retrieving the cash or bank card you need.
A well-designed DID system would allow us to create similar digital “wallets” for our personal data, allowing us to control who can get what information.
By adopting this approach, Singapore can reduce dependency on a single identifier such as the NRIC.
Such a system could involve the use of digital wallets or tokens linked to an individual’s identity, encrypted and verifiable without exposing raw data. This method aligns with global trends, such as the European Union’s eIDAS 2.0 initiative, and offers better protection against data breaches.
These newer systems compare against the US-based National Institute of Standards and Technology (NIST) which had in its June 2017 Digital Identity Guidelines set out a digital identity model, and the Russian government’s e-government system of trusted identities (ESIA) which use trusted intermediaries.
Until such a transition is feasible, certain steps can be taken to fortify the NRIC system. These include:
Beyond technological upgrades, we must shift the cultural mindset around identity.
Singaporeans need to be educated on the importance of safeguarding their personal information, much like how the nation has emphasised financial literacy. Clear guidelines on when and where NRIC data can be shared should be communicated widely.
In addition, this mishap has crystallised the importance of the data protection officer, especially in organisations that set data use policy or make significant decisions on personal data in their products and services.
In this day and age, the role of the data protection officer and/or chief data officer is a critical and active one and not a passive side-show. For organisations dealing in personal data, they should be key players in decision-making processes.
The ACRA incident isn’t just a wake-up call - it’s an opportunity.
Singapore has long been a regional and global leader in areas of governance and innovation. As countries all over the world face increasingly complex dilemmas amid political and economic uncertainty, how can we set a global standard for secure, forward-thinking identity management?
In striving to develop and enhance our uses and processes around the NRIC in order to meet the challenges of the digital age, we can ensure that everyone in Singapore is afforded access to the efficiency of tech-enabled systems and services, but well-protected from the dangers of misuse and abuse.
The NRIC is more than just a number - it represents the trust Singaporeans place in their institutions. Let’s not squander that trust.
Instead, let’s reimagine the NRIC as a secure and modernised cornerstone of Singapore’s Smart Nation aspirations.
Bryan Tan is a partner at Reed Smith Singapore and is a contributor to Data Protection Law in Singapore. The views expressed here are his own.
Continue reading...
Our beloved National Registration Identity Card (NRIC) must have recently felt like a teenager entering a sea of raging hormones and feeling overwhelmed.
Upon receiving an internal circular signalling a broader policy shift to gradually move away from using NRIC numbers as a method of authentication, the Accounting and Corporate Regulatory Authority (ACRA) misunderstood it as a green light to unmask the numbers in the roll-out of its new Bizfile portal.
Once netizens discovered that the Bizfile portal’s people search function was turning up NRIC numbers as well, a furore ensued. ACRA has since withdrawn that feature and apologised for the confusion.
A LEGACY SYSTEM MOVING INTO A DIGITAL WORLD
The NRIC was introduced in a time when modes of identity verification were primarily physical. It was used to ascertain individuals’ identities for all types of actions and transactions - entry into buildings, opening and operating bank accounts, registration for government services.
For many, it was associated with the ability to access or exercise one’s rights and privileges living in Singapore. However, its use quickly expanded over time to extend to other less formal purposes - announcing the winners of lucky draw prizes, for instance, and even as security for the renting of leisure bicycles, leading to worries that the NRIC had been “cheapened”.
This (and similar) practices were legislated away with the introduction of the Personal Data Protection Act, which by its guidelines restricted the use of NRICs and mandated the masking of NRIC numbers where their use was needed or involved. The love had returned.
Today, it has evolved into a multi-purpose identifier used across government agencies, private businesses, and digital platforms. Its ubiquitous use has made it indispensable - but this convergence has also made it a possible single point of failure.
In the recent Bizfile portal fuss, there was a moment where it felt as if the NRIC was going to be abandoned - damaged beyond repair. However, assurances and explanations by the government suggest that it still has a role to play, albeit a different one than previously assumed.
ACRA's mishap highlights the vulnerabilities of such centralised systems. If compromised, the fallout affects not just personal privacy but also national security and public trust.
This incident also reignited a critical conversation about the role and security of the NRIC in Singapore.
THE CASE FOR DECENTRALISED IDENTITY MANAGEMENT
For decades, the NRIC has been a cornerstone of identity management, but in an era of rising cybersecurity threats and digital transformation, it is time to reconsider its function and safeguard its relevance.
Singapore’s Smart Nation vision emphasises resilience and adaptability in an increasingly technologically advanced world. A logical next step is transitioning from a centralised identity model to a decentralised, blockchain-based framework.
Decentralised identity (DID) systems allow individuals to retain control of their personal data while granting selective access to third parties.
Imagine all your personal information collected in one place, much like a physical wallet or purse which contains your credit cards, bank cards, library card, name card, membership cards, discount cards and a smattering of cash. Continuing to use NRICs for all authentication processes is a bit like handing over the entire wallet to pay for an ice cream, rather than just retrieving the cash or bank card you need.
A well-designed DID system would allow us to create similar digital “wallets” for our personal data, allowing us to control who can get what information.
By adopting this approach, Singapore can reduce dependency on a single identifier such as the NRIC.
Such a system could involve the use of digital wallets or tokens linked to an individual’s identity, encrypted and verifiable without exposing raw data. This method aligns with global trends, such as the European Union’s eIDAS 2.0 initiative, and offers better protection against data breaches.
These newer systems compare against the US-based National Institute of Standards and Technology (NIST) which had in its June 2017 Digital Identity Guidelines set out a digital identity model, and the Russian government’s e-government system of trusted identities (ESIA) which use trusted intermediaries.
Related:
ENHANCED SECURITY PROTOCOLS FOR NRIC DATA
Until such a transition is feasible, certain steps can be taken to fortify the NRIC system. These include:
- Implementing data minimisation: Limit the situations where NRIC numbers are required. Already, Singapore has restricted the private sector’s collection of NRIC numbers since 2019. This should extend to other identifiers like birthdates and addresses, further reducing the risk of exposure.
- Strengthening encryption standards: Data encryption should not only be mandatory but also regularly updated to stay ahead of cybercriminals.
- Mandating real-time breach notifications: Organisations handling NRIC data must be obligated to notify affected individuals and authorities immediately after a breach, ensuring prompt mitigation.
- Fines and accountability: Organisations mishandling NRIC data already face stricter penalties. This incentivises better compliance and investment in cybersecurity.
A CULTURAL SHIFT IN IDENTITY AND DATA PROTECTION
Beyond technological upgrades, we must shift the cultural mindset around identity.
Singaporeans need to be educated on the importance of safeguarding their personal information, much like how the nation has emphasised financial literacy. Clear guidelines on when and where NRIC data can be shared should be communicated widely.
In addition, this mishap has crystallised the importance of the data protection officer, especially in organisations that set data use policy or make significant decisions on personal data in their products and services.
In this day and age, the role of the data protection officer and/or chief data officer is a critical and active one and not a passive side-show. For organisations dealing in personal data, they should be key players in decision-making processes.
AN OPPORTUNITY TO SET A STANDARD
The ACRA incident isn’t just a wake-up call - it’s an opportunity.
Singapore has long been a regional and global leader in areas of governance and innovation. As countries all over the world face increasingly complex dilemmas amid political and economic uncertainty, how can we set a global standard for secure, forward-thinking identity management?
In striving to develop and enhance our uses and processes around the NRIC in order to meet the challenges of the digital age, we can ensure that everyone in Singapore is afforded access to the efficiency of tech-enabled systems and services, but well-protected from the dangers of misuse and abuse.
The NRIC is more than just a number - it represents the trust Singaporeans place in their institutions. Let’s not squander that trust.
Instead, let’s reimagine the NRIC as a secure and modernised cornerstone of Singapore’s Smart Nation aspirations.
Bryan Tan is a partner at Reed Smith Singapore and is a contributor to Data Protection Law in Singapore. The views expressed here are his own.
Continue reading...