Contact us
WhatsApp Us
Synthesized Knowledge.
Operational Intelligence.
PDPC Update – March 2026
Organisations Must Stop Using NRIC Numbers for Authentication by 31 December 2026

The Personal Data Protection Commission (PDPC) has announced that all private organisations in Singapore must stop using full or partial NRIC numbers for authentication by 31 December 2026. Continuing to do so may be considered a breach of the Personal Data Protection Act (PDPA), as it fails to provide reasonable security protection for personal data. From 1 January 2027, PDPC will step up enforcement, including issuing directions or financial penalties for non‑compliance.

Key Deadlines
By 31 December 2026

Organisations must fully remove NRIC numbers (full or partial) from all authentication processes.

From 1 January 2027

PDPC will actively enforce the rule and take action against organisations that continue using NRIC numbers for authentication.

Who Issued This Requirement

This mandate is issued by the Personal Data Protection Commission (PDPC), supported by earlier joint advisories from the Cyber Security Agency (CSA) and sector‑specific guidance from IMDA, MAS, and MOH.

What Is Changing
Practices That Must Stop
Organisations must stop using NRIC numbers (full or partial) for authentication, including:
  • Using NRIC numbers as passwords or default passwords
  • Combining NRIC numbers with easily obtainable personal details such as:
    • Name
    • Date of birth
    • Example: 567A01Jan80
  • Using NRIC numbers to:
    • Log into accounts
    • Open digital documents
    • Access systems or services
These practices are now considered misuse of NRIC numbers for authentication.
What Is Still Allowed

Identification, not authentication, is still permitted.
Organisations may use NRIC numbers to identify or differentiate individuals when allowed under the law (e.g., internal records, necessary forms).

Key distinction:
  • Identification = “Who are you?”
  • Authentication = “Prove it’s really you before we grant access.”
Enforcement From 1 January 2027
From 1 January 2027, organisations that continue using NRIC numbers for authentication may be found in breach of the PDPA for failing to provide adequate security arrangements.
Potential enforcement actions include:
  • Mandatory directions to change processes
  • Financial penalties
  • Other corrective measures where required
What Organisations Should Do Now
1. Review All Authentication Processes

Check for any use of NRIC numbers in:

  • Login credentials
  • Default passwords
  • Account recovery
  • Document access
  • Customer portals and mobile applications
2. Replace NRIC‑Based Authentication With More Secure Methods

Check for any use of NRIC numbers in:

  • Login credentials
  • Default passwords
  • Account recovery
  • Document access
  • Customer portals and mobile applications
3. Update Internal Policies and Vendor Systems
  • Ensure third‑party vendors comply with the new requirements
  • Update standard operating procedures, staff training, and system documentation
4. Refer to PDPC Guidance

Follow PDPC’s latest advisories on good practices for protecting personal data, including NRIC handling. pdpc.gov.sg

Related Articles