NRIC Numbers in ACRA's Bizfile Service

12.58 pm

The Second Minister for Finance (Ms Indranee Rajah): Mr Speaker, Minister Josephine Teo has spoken about the Government's position on the use of NRIC numbers. In my Statement, I will cover the events leading to the disclosure of full NRIC numbers on the Accounting and Corporate Regulatory Authority's (ACRA's) Bizfile People Search function and address related questions from Members.

I want to start by acknowledging the public anxiety and confusion caused by this incident and, once again, extend our apologies for it. Many Singaporeans regard NRIC numbers as sensitive information and are understandably concerned to learn that NRIC numbers were available in full in the free People Search function of ACRA's new Bizfile portal from 9 to 13 December 2024. We take these concerns very seriously.

In the wake of the public concern about the disclosure, ACRA suspended the service and since the resumption of service on 28 December 2024, the search results under the revised People Search function no longer show any NRIC numbers, masked or unmasked. We believe this approach addresses both the concerns that the public currently has and the needs of Bizfile users.

My Statement will cover the following three areas.

First, ACRA's mandate to provide public access to basic information on businesses and their associated individuals.

Second, the series of events that led to ACRA changing the People Search function to unmask NRIC numbers. Here, I will also address questions relating to the scale of the disclosure.

Third, whether a review of the incident will be conducted and if any action will be taken against those involved.

There have been questions on why ACRA needs to provide public access to basic information on individuals associated with businesses, and the types of information that are being made public. Some questions are based on an underlying assumption that NRIC numbers cannot be made public at all, which is not correct.

It is, therefore, important to first have a clear understanding of ACRA's mandate, to collect and disclose information, before we address the other issues.

ACRA is the national regulator of business registration and financial reporting. Its mission is to foster a trusted business environment, so that businesses and individuals, within and outside of Singapore, can transact with Singapore business entities with confidence and know whom they are dealing with. In furtherance of that mission, one of ACRA's roles is to maintain our national business register.

To this end, ACRA is empowered to collect and maintain information on business entities and their associated individuals. Associated individuals include individuals who are owners or directors of companies or shareholders of private companies.

First, on information on business entities. The information on business entities that ACRA collects and maintains includes the business' name; the Unique Entity Number (UEN); incorporation date; status, for example, whether it is live, dormant or wound up; the registered address; business activity; paid up capital; and the list of shareholders. The information on associated individuals that ACRA collects and maintains includes: the individual's name; nationality; identification number, such as the NRIC number; and contact address. It also includes the past and present positions that they hold or have held in business entities that they are or have been associated with as well as when they held these positions.

To maintain corporate transparency, facilitate business transactions and guard against illicit activities, ACRA is allowed by law to give public access to such information, including NRIC numbers. This is provided for under the ACRA Act and other ACRA-administered legislation. Public access to such information is not unique to Singapore. Many business registries around the world similarly provide public access to such information.

Let me provide some examples to illustrate why public access to such information is necessary. For example, when a bank onboards a new corporate client, it will need to conduct background checks on the company's directors. This allows the bank to ascertain if the directors have any history of financial misconduct or if they have been involved in companies with financial or regulatory issues, before deciding whether to grant credit facilities, such as loans. Information on the company's directors, such as their NRIC numbers, will be useful to the bank when confirming the directors' identities.

When companies and investors do business with each other, or when they are considering mergers and acquisitions, they would normally need NRIC numbers to facilitate due diligence checks on the identities and shareholdings of their counterpart's company directors.

NRIC numbers also help to deter illicit activities. When the identities of business owners, directors and other key position holders of businesses are publicly known and are publicly linked to their businesses, it deters these individuals from engaging in illegal activities, such as money laundering and fraud, because their clients, regulators and stakeholders can easily trace them and hold them accountable for their actions. Public access to information on individuals associated with business entities thus maintains corporate transparency, deters illicit activities and upholds trust in our business environment.

In summary, therefore, it is important to understand that the public disclosure of NRIC numbers is not prohibited per se. The real issue is the degree and the ease of access to NRIC numbers. Let me just repeat that, because it is important that people understand this. The public disclosure of NRIC numbers is not prohibited per se. The real issue is the degree and the ease of access to NRIC numbers.

To appreciate the distinction, it is necessary to understand how ACRA's Bizfile portal works.

Bizfile is ACRA's one-stop e-services portal for users to register new businesses, file annual returns, update business and personal information and access information on business entities and their associated individuals. There are two key steps to access information on business entities and their associated individuals on Bizfile: first is, the People Search or what I will, for convenience, call "Step 1"; and second, the People Profile search, or what I will call "Step 2". [Please refer to "Clarification by Second Minister for Finance", Official Report, 8 January 2025, Vol 95, Issue 149, Correction By Written Statement section.]

The People Search function is the first step in a user's search for information on individuals associated with business entities. It allows users to specify and identify the individual on whom they wish to obtain information. This function is free, and I will explain how it works.

On the old Bizfile portal, which was in place before 9 December 2024, users could do a name search, which would return a list of individuals with the same searched name and their masked NRIC number. For example, if you did a name search for "John Tan", and there were four "John Tan"s in the database, all four names would turn up in the People Search results, along with the masked NRIC numbers of those four individuals. If you had the NRIC number of the specific John Tan you were searching for, you would be able to identify the correct John Tan from among the People Search results.

If you wanted more information on the relevant John Tan, you would then have to purchase the People Profile on that John Tan. This is "Step 2", for which a fee is charged. The People Profile contains additional information, such as the individual's full name, full NRIC number, contact address, associated businesses, and past and present positions that they held or hold.

Therefore, even on the old Bizfile portal, a member of the public could obtain the full NRIC number of an individual associated with a business entity by purchasing that individual's People Profile at "Step 2". There was no change to this "Step 2" in the new Bizfile portal.

In other words, the full NRIC number has always been publicly accessible upon the purchase of a People Profile, and this has not been an issue. The NRIC number, in the context of a Bizfile search, has never been confidential or secret. The real issue is one of degree, and ease of access and searchability.

So, what changed? What changed between the old Bizfile portal and the new one launched on 9 December 2024 was the People Search function, or "Step 1". As I explained earlier, if you keyed in a name or part of a name on the old Bizfile portal, previously, the search results would show the names and the masked NRIC numbers. The new Bizfile portal, however, showed the names and the full NRIC numbers, until the service was suspended.

This change to the People Search function on the new Bizfile portal, namely, to display full NRIC numbers at "Step 1", meant that if a user typed in "John Tan", all the four "John Tan"s in the system and their full NRIC numbers would be displayed. However, this change also meant that the public had free access to the full NRIC numbers of any individual in ACRA's database.

This understandably caused public concern since many Singaporeans view their NRIC numbers as sensitive and confidential information. ACRA has since revised the People Search function such that it only returns names and no longer displays any NRIC numbers, whether masked or unmasked.

Mr Ang Wei Neng, Ms Joan Pereira and Mr Liang Eng Hwa asked about the events that led to ACRA unmasking NRIC numbers in the People Search function. As mentioned at the press conference on 19 December 2024, we are thoroughly reviewing the incident to ascertain what exactly happened. The review is underway and I do not want to prejudge the outcome, but I will share the key facts that have been pieced together so far.

The Ministry of Digital Development and Information (MDDI) had concerns about how NRIC numbers were being used, as Minister Josephine Teo has explained in her Ministerial Statement. Consequently, in July 2024, MDDI issued a circular minute directing all Government agencies to: one, stop using NRIC numbers as authenticators or passwords; and two, cease any planned use of masked NRIC numbers in, for example, new business processes and digital services.

ACRA understood the directive to mean that it had to unmask and display in full the NRIC numbers in the People Search function on the Bizfile portal. ACRA had internal deliberations about the risks of unmasking NRIC numbers in its People Search function, including the possible impact on personal data protection. ACRA then sought MDDI's clarification on whether it was required to unmask NRIC numbers in the People Search function on the new Bizfile portal.

However, due to a lapse in coordination between MDDI and ACRA, ACRA continued to understand, mistakenly, that the directive to cease the use of masked NRIC numbers in new digital services required ACRA to unmask and disclose in full the NRIC numbers. Hence, ACRA disclosed full NRIC numbers in the People Search function when the new Bizfile portal was launched on 9 December 2024, as they thought MDDI required them to.

Let me stress this: it was not the Government's intent for agencies to make datasets of NRIC numbers in their possession widely and easily accessible.

Minister Josephine Teo has since explained, both at the press conference on 19 December 2024 and in her Ministerial Statement earlier, that when MDDI told agencies to cease the use of masked NRIC numbers, that did not automatically mean using full NRIC numbers in every case.

Instead, MDDI's policy intent was for agencies to: one, not use NRIC numbers at all unless necessary; two, use other identifiers in lieu of NRIC numbers, where this was adequate; and three, in certain cases, such as in medical settings, where the use of NRIC numbers is required by law or necessary for accurate identification, use full NRIC numbers. MDDI has acknowledged that they should have made this clear.

With the benefit of hindsight, it is clear that there were gaps in the communication and understanding of MDDI's policy intent. The Government is reviewing this lapse in coordination and communication between MDDI and ACRA, and I will elaborate on the scope of the review later.

Mr Xie Yao Quan asked about the length of time taken by ACRA to decide to disable the People Search function. When public concerns first surfaced on 12 December 2024, MDDI and ACRA needed time to assess whether the disclosure of full NRIC numbers in the People Search function was consistent with MDDI's policy intent, as well as the feasibility and lead time needed to effect alternatives. Disabling the search function was a last resort, given the impact on businesses and individuals who might need to use the People Search function to conduct their due diligence checks.

It was eventually agreed that, out of the possible options, temporarily disabling the People Search function would best address public concerns while ACRA reviewed the People Search function. The function was disabled on the night of 13 December 2024. Therefore, while the agencies could have been more prompt in their response, one must also have regard to the various considerations they were balancing at that time. As part of the review, we will study how the Government could have responded more quickly.

Assoc Prof Jamus Lim asked if ACRA intends to extend its fee-based tiered access policy to more personal data. ACRA has no plans to do so. The issue here, as I have explained, is not about collecting or disclosing more personal data, but the ease of access to and the searchability of existing personal data that is currently publicly accessible.

Let me now move on to the queries about the scale of the disclosure. First, I should emphasise that ACRA's database does not contain information on all Singapore Citizens. It contains information only on individuals who are reflected in filings or lodgements made with ACRA. These are individuals who are or have been involved in ACRA-registered entities, such as companies, partnerships, as well as non-profit organisations that are companies limited by guarantee.

If you or your authorised representative have not made any filing with ACRA before, your NRIC number would not have been collected or shared by ACRA. However, if you have incorporated a business or assumed a board directorship, your information would have been collected and made publicly available through the People Profile, or "Step 2". The fee imposed at "Step 2" acts as a filter and makes it more likely that those accessing the People Profile information have a good reason for doing so.

In respect of the period from 9 to 13 December 2024 when full NRIC numbers were disclosed on the People Search function, Mr Dennis Tan, Ms He Ting Ru, Mr Louis Chua and Dr Tan Wu Meng have asked about the number of People Searches conducted, the number of distinct users who conducted searches, the number of NRIC numbers that were disclosed before the People Search function on the new Bizfile portal was disabled and the risk that NRIC numbers were accessed by malicious actors.

Based on the investigations so far, more than 500,000 queries were made on People Search during that five-day period from 9 to 13 December 2024. This was much higher than the usual daily traffic of 2,000 to 3,000 queries. The bulk of these queries was made on 13 December 2024, the day after news of the NRIC numbers on the new Bizfile portal broke. These searches came from an estimated 28,000 Internet Protocol (IP) addresses, most of which were from Singapore. We are unable to identify the exact number of NRIC numbers that were disclosed through these queries, as the Bizfile portal is not configured to track individual queries for the People Search function.

ACRA and GovTech have since conducted a security review and identified that the security feature in the People Search function designed to distinguish between human users and computer bots was not working as intended. This has since been fixed. Thus far, we have not uncovered any known threat actors, based on the IP addresses that were used to make the People Search queries between 9 and 13 December 2024.

That said, those who are concerned that their NRIC numbers may have been accessed can still take steps to protect themselves. First, ensure that your NRIC number is not used as a password for any of your digital accounts. If you are using your NRIC number as a password, you should change your password as soon as possible. Second, do not use your NRIC number for authentication. If you are currently using your NRIC number for that purpose, change your authenticator as soon as possible. Third, do not assume someone to be a legitimate authority even if they know your NRIC number. Even if someone can recite your full NRIC number, it would be prudent to ascertain their identity and intent by conducting other checks.

Following this incident, ACRA is reviewing how the People Search function can be improved. For example, ACRA is considering the roll-out of additional search parameters, such as the UEN of the entity with which the individual is associated.

I now come to the last part of my Statement, which is on the review of the incident and whether action will be taken against those involved.

As mentioned earlier, a review panel has been set up to study the root cause of the incident, and work is already underway. The panel is led by Head of Civil Service Mr Leo Yip, and it includes Permanent Secretaries whose Ministries are not involved in the NRIC policy or this incident. It also includes the Permanent Secretaries of the Ministry of Finance, which oversees ACRA, and MDDI. The panel will report to Senior Minister Teo.

The panel will review two matters: first, the Government’s policy on the responsible use of NRIC numbers; and second, the disclosure of full NRIC numbers on the People Search function of ACRA’s new Bizfile portal.

For both matters, the panel will study what happened, how the decisions were made, the implementation and communication processes, the coordination across public sector agencies, and where the Government should have done and can do better. It will also recommend areas for improvement. Specific to the People Search function on Bizfile, the panel will look into the design and implementation of the search function. The panel expects to complete its review in February. We will share the review findings thereafter.

Mr Don Wee asked how the disclosure of full NRIC numbers on the new Bizfile portal aligns with data protection policies under the Personal Data Protection Act (PDPA). First, in the interest of corporate transparency, ACRA is legally allowed to disclose certain information, as I explained earlier.

Second, beyond such permitted disclosures, ACRA, as a public agency, is required to meet personal data protection standards set out in the Public Sector (Governance) Act, or PSGA, and Government Instruction Manuals (IMs), which are standards similar to those under PDPA. The PDPA applies to the private sector, whereas public agencies like ACRA are governed by the PSGA and the Government IMs. As the panel is still ascertaining the full facts of this incident, it would be premature to conclude definitively whether there has been any breach of the PSGA or the Government IMs.

As for whether action will be taken against those involved, that depends on the outcome of the review. Based on the panel’s preliminary findings, the incident seems to be a genuine case of miscommunication borne out of insufficient understanding of the policy intent and each party's needs and requirements. Nevertheless, if the panel uncovers facts that suggest actionable wrongdoing or serious lapses, it will refer the matter to the relevant bodies or authorities for further disciplinary or legal action.

Mr Speaker, in conclusion, there are three key points I wish to reiterate.

First, providing public access to information on business entities and their associated individuals, including NRIC numbers, is part of how ACRA upholds corporate transparency and deters wrongdoing. But this information only pertains to ACRA-registered entities and individuals who are reflected in filings or lodgements made with ACRA. ACRA does not have the NRIC numbers of all Singapore Citizens.

Second, while MDDI intended for Government agencies to cease using masked NRIC numbers, it did not intend for Government agencies to unmask all the NRIC numbers that they were masking. The unmasking of NRIC numbers in the People Search function arose from ACRA's misunderstanding of MDDI's policy intent, and gaps in communication and coordination between agencies. That said, even if ACRA had been labouring under the wrong impression, it should have been more mindful of the need to balance corporate transparency and the likely public concerns over the ease of access to and searchability of personal information in the People Search function on the new Bizfile portal.

Third, the Government will learn from this episode and do better in the future. We are reviewing this incident thoroughly and will, in due course, share with the public the lessons learnt.

Let me conclude by saying something on behalf of ACRA. ACRA has acknowledged its mistake and is very sorry that this has happened. Since then, it has been doing its utmost to put things right and do better. They worked throughout the festive period to get the revised People Search function in place and to test and check the system. At the same time, they have been assisting Bizfile users in navigating the revised search function.

ACRA will work on improving its services and step up its data management measures. It will also support the review panel in identifying what went wrong and what could and should have been done better.

This brings me to the end of my Statement. Mr Speaker, may I suggest that Members seek clarifications in three segments: first, on the Government's position on the use of NRIC numbers; second, on the events that led to the unmasking of NRIC numbers; and third, any other clarifications.

1.29 pm

Mr Speaker: Before I call on hon Members for your clarifications, I just wish to point out Standing Order 23. Members may seek clarifications on the Ministerial Statements, but no debate shall be allowed thereon.

As you heard earlier, there are 32 Members who have filed 51 questions on this issue. I will be giving priority to these Members to seek their clarifications. And in view of the number of Members who have filed questions on this matter, I seek all Members' understanding to: first, keep your clarification short, clear, concise and at a quick pace; second, avoid preambles where possible. If a preamble is necessary, keep it brief; and third, state all your clarifications upfront. Do not break them up. And likewise, I ask Ministers – the two Ministers – to also keep your answers clear and concise.

By adopting this approach, I hope to allow everyone to raise and address as many clarifications as possible.

First clarification question, Ms Tin Pei Ling.

Ms Tin Pei Ling (MacPherson): Thank you. I have a few clarifications. First of all, one of the key issues that we have seen here is the question of, "Has the policy stance changed?"

Prior to the introduction of PDPA, Singaporeans were quite comfortable with sharing their NRIC numbers. There were even instances whereby NRIC numbers were published in the papers after a lucky draw result was out. So, that was at the beginning. Then, later, we were cultivated to be sensitised to NRIC numbers, especially in the period of introducing PDPA. So, now, with the latest incident, naturally, Singaporeans will wonder, "Is there a change and why is there a change?"

And compounding this was that there was a guideline on the collection and retention of NRIC numbers, as part of the guidelines under PDPA. Shortly after the incident, the guideline was withdrawn from the Internet. So, then the question is: why was this withdrawn? What significance is this action? And, therefore, what kind of message are we sending? That is my first clarification.

Secondly, it is now clearly clarified that the NRIC number is personal information and that it has to be dealt with with care. So, beyond a matter of respecting individual preference, Singaporeans are concerned about how this NRIC number can or cannot be used for identity theft or scams, which I know the Minister had addressed it in her Statement.

What would be helpful is to share what kind of actions will be put in place to safeguard such information and prevent such misuses. How can Singaporeans be assured further? And from now till then, as the Ministry goes out to engage organisations that are currently using NRIC numbers for authentication, not just for passwords or default passwords but also as default identification, or ID, what is the period of time that the Ministry is looking at to quickly get these organisations to rectify it, so that it would help to alleviate the concerns and anxiety that Singaporeans may have during this period?

Thirdly, if NRIC numbers are not meant to be used as an authenticator, then in the past few years, why did the Government not actively go after organisations that have been implementing such practices? Would it be seen as implicitly endorsing this understanding?

And lastly, I am glad that there will be a review panel to establish the facts of the matter, but at the same time, I also would like to urge the Government to be fair to the civil servants, especially ACRA in this instance, especially if they had no ill intent. But as a whole-of-Government effort, there is shared responsibility. So, I urge the Government, in the review, to also be fair to the civil servants involved.

Mrs Josephine Teo: Mr Speaker, I thank the Member Ms Tin Pei Ling for her questions. There are quite a few. One of them will need to be addressed by Minister Indranee, but I will attempt to address the rest.

Let me first say that I appreciate Ms Tin's comments that we should be fair in how we conduct the review proceedings, and I think that is the intent. But the intent is to be rigorous and to be thorough, which also necessarily means that we do not further speculate on what took place. And that is part of the discipline that we will have to observe in order to ensure that, not only do we get to the bottom of matters but also that we are fair to all parties.

Ms Tin had a specific question on the Guidelines on NRIC that are issued by PDPC and why were they withdrawn? It was withdrawn for a very short period of time to apply a new label to it, to draw people's attention to the statements that were made subsequently. So, it was intended to basically tell people that the Guidelines remain valid and the new label says so, but to please note these other discussions that have surfaced. So, I hope that addresses the question.

Ms Tin also asked what should be done if the NRIC number has still been disclosed, what do you do about preventing scams, what do you do about pushing back against identity theft? I explained in my Ministerial Statement that NRIC-related scams have been around with us for some time. Most of the NRIC-related scams pertain to the scammers giving the impression that they are figures of authority because they are able to cite your NRIC number. Very few of the scams, in fact, it is not quite so easy to pinpoint even one specific instance, where the scammer was able to get hold of the NRIC number and then key that in to unlock valuables.

So, it goes back to the best protection that we can have for each other, and that is: for organisations, not to use NRIC numbers as authenticators or default passwords; and for individuals, not to use these NRIC numbers as passwords.

How do we help organisations to do this as quickly as possible? Firstly, we recognise that it may take them time. Not everyone understands this. Even for Members of Parliament, it has taken two Statements and more than an hour to get to this point. So, we do not under-estimate the effort that is going to be required, the public education exercise that will have to be mounted and the many outreach sessions that we are likely to have to conduct, in order to help people understand the risks of continuing to use the NRIC number as an authenticator and as a password.

So, we must give it adequate time. But the resources to help these organisations are available. We will do so through PDPC. Between the Infocomm Media Development Authority and the Cyber Security Agency, there are also programmes that will put the organisations in touch with the relevant knowledge experts, service providers that can help them bring about the change.

To go back to Ms Tin's first question: has the policy changed? I explained at the outset that the Bizfile incident, without intending to, may have led people to think that the Government now has a new policy of allowing full NRIC numbers to be disclosed on a wide scale. And this is not the case. This is not the direction that we are moving towards.

The change is only in respect of stopping the incorrect uses of NRIC numbers as authenticators and as passwords. That is the change. The policy, the guidelines, the duty of care that organisations must exercise when they collect and use NRIC numbers, those have not changed.

Ms Indranee Rajah: Just a very quick response to Ms Tin. Her comment was that she hoped that the review would be fair to ACRA. As far as the review panel is concerned, the intention is to be thorough and also to be fair to all. Both to ACRA as well as MDDI, to all involved. But it must undertake the review seriously and carefully.

As I mentioned earlier, based on the preliminary findings, the incident seems to be a genuine case of miscommunication, but at the same time we do not want to prejudge the issue. So, as I also mentioned, if the panel uncovers facts that suggest actionable wrongdoing or serious lapses, then it will refer the matter to relevant bodies or authorities for further action. So, they will be objective, they will be fair, but they will also be thorough and rigorous.

Mr Speaker: Mr Pritam Singh.

Mr Pritam Singh (Aljunied): Sir, in July last year, this House passed the ACRA (Registry and Regulatory Enhancements) Bill. Amongst other things, the Bill introduced a framework that sought to protect the confidentiality of personal information by limiting public access and allowing only specific parties access for the purposes of fulfilling regulatory obligations. Minister Indranee, in moving the Bill, confirmed that the Bill laid the groundwork for the enhanced Bizfile system that was targeted for launch at the end of 2024.

No mention was made in the Minister's Second Reading speeches about the Government's new approach vis-a-vis NRIC numbers. A public consultation was also undertaken for the Bill, which was published in March 2024. In this consultation, ACRA had proposed, "to partially mask the identification numbers of all individuals in ACRA's registers which are made available to the public and introduce a contact address that will be shown to the public."

There was some feedback to this proposal, principally related to corporate transparency and know-your-client requirements. ACRA responded to this and said, "On the proposal to mask identification numbers, the concerns on requiring access to full identification numbers have been duly noted. We will review this further and provide an update in due course."

Sir, my first question: as the issue of the masking of NRIC numbers was clearly in ACRA's contemplation for the purposes of the amendment Bill in July 2024, when did ACRA intend to provide an update to its public consultation? And in view of the reply, if I heard correctly from the Minister, the circular came into being in July 2024, when was ACRA intending to provide an update to its public consultation and why did it go ahead, especially in view of these public representations?

Secondly, ACRA and the Government would have been acutely aware that the public treats NRIC numbers as personal data and for personal data privacy reasons, and that these should not be disclosed to the public. Minister Josephine Teo acknowledged that. But in 2022, on the back of amendments to various corporate statutes, the point was acknowledged in Annex A of a public consultation exercise for another Bill that NRIC numbers are confidential information.

My second question, therefore, is: in view of the serious and significant public concern about how the of unmasking NRIC numbers that took place could have occurred so easily, despite enough feedback about not just how the public but ACRA itself views the sanctity of NRIC numbers, by virtue of its consultation exercises in 2022 and 2024, surely the matter would have had to be brought to Parliament instead of simply interpreting a circular from her Ministry? That is the second query to the Minister.

And finally, I note my Parliamentary Question (PQ), Question No 25 in yesterday's Order Paper, subsections (b) to (d) of that question really have not been answered. So, I would appreciate a reply from the Minister.

Ms Indranee Rajah: If the Leader of the Opposition could just give me a moment to check the notes on this.

Okay, just a few things. I do not have all the details of what the Leader of the Opposition has asked, but what I can give him are some of the details. First, the summary of the public consultation was issued in April 2024. In the summary of the consultation, what was said was this: the proposal to "partially mask the identification number of all individuals in ACRA's registers which are made available to the public, and introduce a contact address as the default address of individuals that will be shown to the public instead of the individual's residential address".

The feedback was: "Some respondents expressed concerns on the need to have access to full identification numbers and other personal data for corporate transparency and compliance with know-your-clients requirements. Some respondents sought clarification on whether there would still be sufficient information to identify an officeholder that is tied to a particular business entity on ACRA's registers."

So, you can see there were two types of feedback: some expressed concern about having full identification numbers made available; others needed to know how to identify the right person. ACRA's response was to proceed with the proposal to introduce a contact address as the default address of individuals that will be shown to the public. On the proposal to mask identification numbers, the concerns on requiring access to full identification numbers have been duly noted. We will review this further and provide an update in due course.

I think that was what the Leader of the Opposition was referring to.

This is going to have to be dealt with more deeply in the review because the review panel will be looking into the matter. But my understanding was, when ACRA was looking at this, they were deciding whether or not to even give full NRIC numbers. But on the MDDI side of the house, they had been indicating that they were reviewing this. So, that was put on hold. Then, after that, the July circular came along and the misunderstanding occurred, and then that is what happened. So, that is the short sequence of what I know, but the review panel will look into this in more detail.

Mr Speaker: Mr Liang Eng Hwa. Okay, Mr Singh.

Mr Pritam Singh: Mr Speaker, thank you. It is not a new supplementary question, but I had other questions, specifically pertaining to Question No 25 on yesterday's Order Paper.

Mr Speaker: Sorry, could you say that again?

Mr Pritam Singh: I had also asked other questions in my Question No 25, parts (b) to (d). It was on yesterday's Order Paper. I think those have not been answered.

Mr Speaker: Sure, okay.

Mr Pritam Singh: And there was another query with regard to why the data issues did not come back to Parliament, but I think the Minister has said it is part of the review, so I think that is answered. But in the original PQ, there are still components which have not been answered.

Mr Speaker: Which is the first part of your question, right? You are referring to your queries in yesterday's PQ.

Mr Pritam Singh: Perhaps for the convenience of the Ministers, I can just repeat the question, the specific components.

To ask the Minister of Digital Development and Information, when was the Ministry circular that sought to change the practice of masking NRIC numbers dated and communicated to Government agencies? I think Minister answered by saying July 2024.

Part (b) was, when did the Ministry determine that such a change was necessary and began planning for it? Part (c) was, whether any whole-of-Government discussions took place before and after the issuance of the circular? And part (d), how many other agencies, apart from ACRA, misread or misunderstood the circular?

Mrs Josephine Teo: Mr Speaker, in response to the Member's question, I do not have the exact date when the discussion started. It would have to be months before that.

To his question on whether there were whole-of-Government discussions, as would be typical of a change of this nature, besides issuing circulars, there would also have been briefings which would have allowed for clarifications. Then, upon those clarifications, it would also be quite a common practice amongst Government agencies to compile "frequently asked questions" in order to provide useful references to colleagues. So, I can share with the Member that these things did take place.

As to how exactly the incident unfolded, I seek Members' understanding and kind support. At this juncture, even if we were to start pointing to this particular event or that particular occasion, they would still not allow us to piece together the whole picture. And if such episodic events were discussed, you could invite further questions. I think what could be even more difficult is if we gave the impression that there was an effort to conceal certain parts of the process, because we were only talking about other parts.

So, I think I would refrain from further citing specific events leading to the launch of the new Bizfile portal on 9 December and the other associated events around it. So, I seek the Members' understanding that it would not be a very good idea for us to keep going into the specific details at this juncture.

Mr Speaker: Whilst we await the full review, is that right, Minister? That is why you are saying there is a full review that is being under undertaken. Okay.

Mr Liang Eng Hwa.

Mr Liang Eng Hwa (Bukit Panjang): Thank you, Sir. My clarification pertains to the masked NRIC numbers. I note from the Minister's Statement that the Government will be moving away from the practice of using masked NRIC numbers. Can I ask the Minister, besides the concerns of giving the public a false sense of security with the masked NRIC numbers, are there any downsides to continuing with this practice of having masked NRIC numbers? Secondly, if the masked NRIC number, which I see as a middle-ground solution, is something that the public is comfortable with and they do know that it is not foolproof, that it is not absolutely secret, why then is there a need to take away this caution?

Mrs Josephine Teo: Mr Speaker, the Member asked whether there are any downsides to using masked NRIC numbers. The same could apply to partial NRIC numbers. I explained earlier in my Ministerial Statement that what has happened is that nowadays, there are quite easily available online, algorithms that can allow you to guess, or work out, or derive, the full NRIC number, particularly if you know the birth year of a person.

And actually, to work out the birth year of a person is not at all difficult. Public figures would certainly have Wikipedia pages where your birth year is well known. Even individuals who are not necessarily public figures may have talked about celebrating birthdays on their social media accounts. In which case, a person who is determined to work out the full NRIC number of these individuals from the masked NRIC number or the partial NRIC number, could quite easily use these algorithms to do so.

So, the ease of availability of such algorithms will mean that the continued use of masked NRIC number gives this false sense of security that will not go away. And if this false sense of security were to persist and people think that their full NRIC number is still a secret, and they continue to use it as a password or if organisations set it as a default password or use it as an authenticator, that is where the risk of scams is, that is where the risk of harms associated with identity theft will become more commonplace.

We thought that the right thing to do whilst the problem is still relatively contained, is to try and bring a stop to these kinds of practices. And the Government should take the lead for our own purposes. As to the private sector, we had always known that it was going to be difficult and therefore, it was important to both engage in public education as well as consult the public on what would be the appropriate approach.

I take the Member's point of view that from an individual standpoint and from an organisation's standpoint, psychologically, there is comfort that not the full NRIC number is known. If it was truly safe, then I think we can certainly consider continued practices of this nature to be not particularly harmful and not particularly something that has to be acted upon. But knowing what we know now, and knowing that there is now the ease of availability of these algorithms, and not doing something about it, that is also not responsible.

Mr Speaker: Mr Louis Chua.

Mr Chua Kheng Wee Louis (Sengkang): Thank you, Speaker. Just two clarifications. The first is that I understand that there were about 500,000 queries, but given that we do not know actually whose NRIC number was being accessed, would the Government consider issuing individual notifications to all the different households in the four major languages, just to inform them of this incident and the necessary precautions that need to be taken just to ensure that people are prepared?

And I say this also because in the case of private organisations, should there be a data breach, they are actually obligated to inform both the PDPC and the individuals affected.

Secondly, it is part of my original PQ: what is the Government's assessment of the risk of NRIC numbers being potentially used to unlock large amounts of personal information. I think there was a Straits Times article that talked about how it can be used to access bank information and healthcare records. And so, has the Government given a timeline for both the Public Healthcare Institutions or private financial institutions to stop the use of the NRIC as an authenticator?

Mrs Josephine Teo: Mr Speaker, I thank the Member for his question. I think following the media conference as well as statements that were made in relation to the Bizfile incident, I recall that the Association of Banks had issued a statement on how banks do not have the practice of using the NRIC number as a sole factor of authentication. I think the awareness in certain sectors is certainly reasonably high. I believe the telecommunications companies may also have issued a statement. It was in the festive period, so I apologise if cannot remember specifically who issued what statement.

Within the sectors where there are regulators, I think we can say with a good degree of confidence that the awareness about the inappropriateness of using NRIC numbers as a factor of authentication is quite high. But again, we do not want to assume. We still want to go through the rigour of ensuring that such practices stop.

I would say that outside of these regulated sectors, there is a very large number of companies; and it would be best for us not to assume that the incorrect uses of NRIC numbers is well understood. So, our working assumption is that outside of the regulated sectors, we have an even bigger challenge.

Having said that, I want to go back to the answer that I provided in response to Ms Hany Soh's questions. If you look at the NRIC-related scams that we have observed thus far, most of them relate to the victims thinking that they were dealing with a figure of authority, because that person, the scammer, was able to cite the NRIC number. Police have actually not been able to specifically identify cases of NRIC-related scams where the NRIC number was inputted to steal valuables. That has not so far been the commonplace observation among NRIC-related scams.

Mr Speaker: Mr Xie Yao Quan. Sorry, Minister Indranee Rajah, I forgot to call on you. You have an answer to give in response to Mr Louis Chua.

Ms Indranee Rajah: Mr Louis Chua sought a clarification on whether it would then be a good idea to give notices to all individual households informing them about the incident and letting them know what to do. The first thing to clarify is that the NRIC numbers in Bizfile are not the NRIC numbers of all Singaporeans. So, actually, sending notices to all households would necessarily go beyond the NRIC numbers that are with ACRA.

The other thing to bear in mind is that those who have incorporated a business or have taken on board directorships and so on, and have their information with ACRA, would know that the information can be made publicly available.

I think the better approach is really this – for everybody who has provided information in lodgements or filings with ACRA to take heed of what we have indicated, which is: one, do not use your NRIC as a password or authenticator; two, be careful if somebody comes citing your NRIC number asking you to do something, and this will be part and parcel of the public education that we will put out. But it is not necessary to notify all households.

Mr Speaker: Mr Xie Yao Quan.

Mr Xie Yao Quan (Jurong): Thank you, Speaker. Currently, there are many transactions between Government agencies and citizens that use masked NRIC numbers, and this has been a long-standing practice by the public sector and citizens are very used to this practice.

In view of Minister Teo's clarification that the Government is not moving to a widespread disclosure of full NRIC numbers in its transactions with citizens going forward, but only to use full NRIC numbers as an additional identifier in specific cases where this is actually necessary, it will be very helpful to help the public understand just what these specific cases might be. In what specific cases would the Government actually be using full NRIC numbers going forward, because it is necessary to do so? In what specific cases would the Government use other identifiers in lieu of NRIC numbers and in what cases would the Government be dropping the use of other identifiers altogether, because a citizen's name alone would be sufficient for identification purposes?

It will be very helpful if Minister Teo could provide more clarity on this going forward and, indeed, if Minister could also provide some reassurance, even at this stage, if possible, that the Government expects that in the majority of cases going forward, the use of full NRIC numbers will not be needed. That will be helpful.

Mrs Josephine Teo: Mr Speaker, I thank Mr Xie Yao Quan for his question. He is right to note that in place of masked NRIC numbers, the Government believes that in some instances, there would be no need for the NRIC number at all. He is also right to say that in other instances, we believe that names alone or some other identifier would be sufficient.

But I think this is important to state: when interacting with the Government, for example, if you are applying for subsidies, if you are hoping to access some benefits that the Government is able to provide to you, if you are laying claim to something important and something valuable to you, these would be instances where the full NRIC numbers should be used. The whole purpose of making sure that we stop the incorrect uses of NRIC numbers is to enable the confident use of full NRIC numbers when we need to do so.

I appreciate where Mr Xie is coming from. There are many, many use cases for the Government. It would not be possible at this point in time to list all of them. There must be hundreds, if not thousands of cases where internally, in correspondence with citizens, there may be a reason to use some form of identification.

The decision that we thought that we should take is that each case has to be carefully assessed and each case will merit its own considerations. So, I would ask for Mr Xie's patience. Prior to the Bizfile incident, this process had not been completed. I can share with him that this process had started, but it was not yet complete.

Mr Speaker: Ms Hazel Poa.

Ms Hazel Poa (Non-Constituency Member): Speaker, my first supplementary question is: which Government department and Statutory Boards have been using NRIC as a factor of authentication and when will they stop? Specifically, when will Singpass stop using NRIC as a login ID? My second supplementary question is: when the review on ACRA's incident is completed, will the report be made public?

Mrs Josephine Teo: I should not answer on behalf of Minister Indranee, but I believe the answer to the Member’s last question is yes, there will be a public release of the findings of the after-action review. Minister Indranee can clarify.

Ms Hazel Poa had asked about the use of authentication amongst public sector agencies. What I can share with her is that following the circular that was sent out, to the best of our knowledge, all Government, all public sector agencies have ceased the use of NRIC number as authenticators. I do not have, off-hand, who might have been using it before and I do not want to misrepresent. I hope she understands that.

There was a middle question that I missed. Singpass, yes. The question of Singpass is a very interesting one. Singpass is available to anyone aged 15 and above, so it is a very wide group of people. In making Singpass available, designers have to find a way to have a unique identifier and so the NRIC number is used as the default identifier. So, it is used only as an ID. It is not used as a password; you set your own password.

Although it is the default identifier, Singpass allows anyone to change out their user ID to something that is not their NRIC number. Prior to this incident, maybe not everybody was very aware of it, but it is actually not difficult to change your user ID. It is not difficult to go onto your Singpass app to change your user ID. If you do not wish to have your NRIC number as your user ID, you may change it to something else.

Ms Indranee Rajah: I just wanted to say in response to Ms Poa's question, because I wanted to be very specific. She asked whether the report will be made public. I do not know what form the review findings will take. What I said just now and what will be accurate for me to say is that the findings will be made public. I do not know in what shape or form the review panel is intending to put together the findings.

Mr Speaker: Dr Tan Wu Meng.

Dr Tan Wu Meng (Jurong): Mr Speaker, I thank the Ministers for their replies. I filed three PQs on this. First of all, can I ask the Ministers: at the whole-of-Government level, would they not agree that implementation is policy – and that is actually a quote from a former Head of Civil Service, Mr Lim Siong Guan. To build on that, would they, furthermore, also consider that implementation must recognise contemporary reality as well as emerging reality that the policy has to operate in?

Secondly, can I also ask the Ministers, moving forward from what has happened here, the bell cannot be unrung, information that has been released cannot be unreleased. But moving forward, will our agencies very actively look at how the world has changed and is continuing to change? For example, how today online bots can scrape thousands or even millions of data points if a search engine delivers the information quickly; that there are scammers and hostile actors hoping to harvest every database they can get their hands on, anything with an application programming interface, or API, that can be accessed.

And lastly, given all of this, whether there can be continued deep attention in the review to how in Government e-services, we approach aggregates of data, especially when that data can be searched by the public or persons even from outside Singapore.

Mrs Josephine Teo: Mr Speaker, we acknowledge the mistake made in trying to implement the move to stop the incorrect uses of NRIC number. The Government has said so and the Government has also explained that the implementation had not started for the private sector. So, the implementation was supposed to have taken place within the public sector first. In this process of implementation, there were gaps in coordination and these resulted in ACRA misunderstanding what was required of them and disclosing the NRIC numbers in full when they launched their new Bizfile portal.

Clearly, there are lessons to be learnt from this incident. This was a mistake. This was a misstep. We would like to have avoided it, but it has happened and we will do our best to learn from it.

Mr Speaker: Ms Sylvia Lim.

Ms Sylvia Lim (Aljunied): Speaker, I have a clarification for Minister Josephine Teo and one for Minister Indranee.

Minister Teo earlier talked about the use of NRIC numbers or information as authentication, and she drew the distinction between the use of the number itself versus, say, the production of the NRIC card, which she said could be used for authentication because it contains more information.

I would like her view on how this would apply to the digital NRIC that is in our Singpass, because most people do not carry the physical card around anymore. I found from personal experience that going to the bank, they still want me to produce the physical card. So, I would like her opinion on whether she thinks this distinction between the physical card and the digital IC in Singpass is a logical and well-founded distinction. So, should actually the digital IC be taken as acceptable for authentication purposes? I would like her view on that.

For Minister Indranee, earlier she touched on the MDDI circular minute that we all hear has been misunderstood by ACRA. She mentioned that ACRA actually sought a clarification from MDDI. What was the nature of the clarification and was there any reply from MDDI to ACRA's clarification?

Related to that, there is intense interest in the public on the circular. I am just wondering whether she would agree that for the review panel, at least, when they put up their report, that this minute could be made public so that people can form their own judgement on how this misunderstanding could have occurred?

Mrs Josephine Teo: Firstly, congratulations to Ms Sylvia Lim on her recent nuptials. You must have used your full NRIC number at the registry, right? Singpass too!

Ms Lim asked a very relevant question. Does the digital NRIC card suffice as an authenticator? If you open up your Singpass app and you tap on your digital NRIC card, you will see your photograph. And therefore, containing this information allows the digital ID card to be matched against the person holding the device that shows this digital NRIC. In fact, we have said quite clearly that the production of this digital NRIC card is the same as producing the physical NRIC card. So, that part is quite clear. So, it would be acceptable as an authenticator. I could just put it across that way.

Ms Indranee Rajah: I thank Ms Lim for her question and I can understand the curiosity. First, let me deal with the issue of whether there was a response when ACRA sought clarification. There was a response, and I understand that the communications continued for a while.

The reason why I am not saying more about this is so that the review panel can look at it in detail.

As Ms Lim and indeed, almost anybody who has done investigation would appreciate, almost anybody who has done investigation, when people communicate with one another, whether it be verbally or in writing, they do not do it in nice, complete sentences that flow on nicely. There will be short phrases. You will assume what somebody else is saying, or you use a short phrase. So, all of that has to be pieced together in a review, the full picture put together and then you get an understanding of what happened.

Suffice to say, as I have summarised in my Ministerial Statement, ACRA and MDDI did talk. It is not like they did not talk, because ACRA did have some concerns. But what is very clear is that there was not a clear understanding of the policy intent and in some cases, it really was a lapse of coordination. That is as much as I can say at this point.

On the second point of whether the document, the circular minute, should be released or not, that I will let the panel decide. But the general principle is that you normally do not release Government documents. What does happen sometimes is that the relevant extract or the relevant portion gets cited. At least for these purposes, the most material part of the circular minute is what I have said in my Statement, which were the words "to cease the use of partial, masked NRIC numbers". That is really the most relevant part of that document, and that is what led to the incident in question.

Mr Speaker: Mr Dennis Tan.

Mr Dennis Tan Lip Fong (Hougang): Thank you, Mr Speaker. I would just want to clarify with Minister Indranee and this relates to my Question No 36. In respect of persons whose NRIC numbers have been accessed and if subsequently proven that they have been accessed and downloaded by malicious actors for scams or onward sale during the period of 9 to 13 December, is the Government to prepare suitable compensation or remedy to such individuals?

Ms Indranee Rajah: In response to Mr Tan's question, I think the first difficulty, which I indicated earlier, is that we do not know what or whose information might have been accessed. In the first place, to talk about compensation assumes that you know whose information and so, somebody could come and say, "Oh, my information has been accessed; therefore, I should be compensated."

That leads to the second and the more important point. Anybody who has provided personal information in a document or lodgement with ACRA would know that actually that information is available publicly. For example, if you are a director and you file a document saying that you are a director, you would know that that information would be made public. As a lawyer, Mr Tan would have done public searches, ACRA searches. When you are going to commence a suit and you are looking to see which director to sue, you would do an ACRA search, you would look for his NRIC number and you would actually put his NRIC number on your Writ of Summons when you issue it against him.

So, if the claim is that the NRIC number was made public, then the suggestion is that it is wrong to make it public. But information held by ACRA is actually permitted to be made public. That is the nature of a registry. The nature of a registry is to maintain a register, and the nature of a register is to have information. The information in the register is put there for a purpose, and that purpose is for the public to access it. So, there would be some issue with that suggestion, I think.

The short answer to the question is, at the moment, you do not even know whose information has been accessed. But second, insofar as the suggestion is that the information cannot be made public, the answer is that such information can be publicly accessible. So, I am not sure about the context in which a question of compensation arises.

Mr Speaker: Mr Leong Mun Wai.

Mr Leong Mun Wai (Non-Constituency Member): Mr Speaker, first of all, I would like to thank the Ministers for confirming that the full NRIC numbers are not about to be unmasked in a very big way. I think that is the single most important worry of many Singaporeans. We have no problem about the Government using our full NRIC numbers or the banks using our full NRIC numbers in their internal processes. But to reveal those numbers, like what ACRA has done, although ACRA is exempted from the PDPA, we have a problem.

And we thank the Ministers for confirming that that is not the case. Because during the whole process leading up to today's clarification, even including the Ministers' press conference, it was not exactly clear as to what the Government intends to do. So, today's clarification is very useful.

And why was it not very clear? Because even after today's two hours of clarification, we still have doubts that ACRA disclosed the full NRIC numbers when it is not supposed to do so. So, why not ACRA comes out, do a proper apology and then the Ministers come out to say that, "Yes. We also caution that —

Mr Speaker: Mr Leong, do you want to make your clarification? Do not make a speech here. Thank you.

Mr Leong Mun Wai: Yes, yes. The clarification has to be preceded by this preamble.

Mr Speaker: Please heed my advice. I spent a lot of time earlier asking everyone to do the same thing.

Mr Leong Mun Wai: Yes. What I am saying is that why can ACRA not just come out and say, "Yes, we made a mistake." Then, case closed. And then, at a later stage, the Government can say that, "Yes. Please be aware of using your NRIC number as authenticator." So, step up the education and that is case closed. I do not know why the Ministers —

Mr Speaker: What is your clarification, may I ask?

Mr Leong Mun Wai: So, we are not sure why the whole process has taken on such a shape. As a result, I have a few questions, although first of all, I am very disappointed that the circular is not —

Mr Speaker: Mr Leong, please, all the other Members have just asked their clarification. I allow a short preamble. Your preamble is not short. So, can you go straight to your clarification? Thank you.

Mr Leong Mun Wai: My clarification is this. Whether the circular was cleared by any political officeholders and whether any political officeholders were giving direction when the civil servants in ACRA and MDDI were clarifying with each other on the instructions of that circular. Depending on the answers, I would like to know whether our civil servants have been thrown under the bus.

Ms Indranee Rajah: Mr Speaker, Sir, I would like to thank Mr Leong Mun Wai for his very clear and definitive statement that actually, all that is necessary is for ACRA to do a proper apology and for the Ministers to say what needs to be done, and it would be case closed. Because ACRA did give an apology. That was back in December at the press conference. And at that press conference, Minister Josephine and I also did say what would be the proper thing to do – which is, do not use your NRIC number for authentication; and make sure that if anybody comes with your NRIC number, do not take that at face value, and do your checks.

So, by the definition that Mr Leong has put forward, actually it should be case closed, and I thank him for that.

It is just that because there were PQs filed, this comes back to Parliament and it is necessary for us to explain. That is the reason why we are here today. It is really to respond to the PQs.

On the question of the circular minute, certainly not myself. Second, you will have to look at the review in due course.

Mr Speaker: Mr Yip Hon Weng.

Mr Yip Hon Weng (Yio Chu Kang): My clarification is directed to MDDI and it pertains to scams and targeted communications. How does the Ministry plan to communicate the approach for the use of NRIC numbers to hard-to-reach segments of our society, like less tech-savvy individuals, such as seniors? And besides leveraging on examples of incorrect uses of NRIC, what other methods will be used for education, given that this is not really a very easy policy to explain? Would the Ministry also consider using Silver Generation Office or the SG Digital Office to do house visits and sort of explain this to seniors?

Mrs Josephine Teo: Mr Speaker, I thank Mr Yip for his question and for always having a heart for those that are less privileged. He is right to say that there will be certain hard-to-reach segments: seniors, perhaps persons with less privileged backgrounds. We do intend to use all channels available to the Government. They can certainly include people who are volunteers on the Seniors Go Digital programme. We would welcome the opportunity to partner with the Silver Generation Office or more broadly, the Agency for Integrated Care, which also supervises the active ageing centres.

I should say that in terms of reaching out to, for example, small and medium enterprises, fortunately, we do have the trade associations and chambers who are forward leaning. In fact, they have approached us and initiated the process to better inform their members on what to do.

So, we will use all channels available to the Government in order to strengthen the outreach. If Members have suggestions on any groups that we may have missed out, please feel free to let us know too.

Mr Speaker: Mr Gerald Giam.

Mr Gerald Giam Yean Song (Aljunied): Sir, I have questions for Minister Josephine Teo and Minister Indranee.

First, for Minister Josephine Teo, how long has the Government known that organisations, including those in the public sector, have been using NRIC numbers as an authentication factor and why did it not prohibit its use long before December 2024?

Up to December, large regulated organisations like insurers were reportedly still using NRIC numbers as default passwords. I note the Minister said earlier that the organisations should stop doing so as soon as possible. Will the Government legally prohibit Government agencies and organisations from using NRIC numbers as authenticators and do so by a certain deadline?

Secondly, I note that Minister Josephine Teo replied to me earlier that the risks do not arise directly from the structure of the NRIC number. However, my question about this alternative NRIC structure arises because a masked NRIC number can still be reverse engineered due to the algorithm and checksum that it follows. While this algorithm is not officially published, it is widely known. My question is: what prevents the NRIC number from being randomly generated, moving forward, instead of relying on an algorithm? If the concern is that businesses need to check the validity of an NRIC number provided, I would highlight that many NRIC generators online can already produce numbers that pass this checksum.

And to Minister Indranee: business owners and corporate secretaries have reported that many share transfers and annual returns could not be submitted on the new Bizfile portal after it was launched. These are basic functions that every business owner uses. Was sufficient user acceptance testing conducted and signed off by ACRA before the launch of the new portal?

Mrs Josephine Teo: Mr Speaker, I thank Mr Giam for his questions. As I said in my Ministerial Statement, the problem is relatively contained. So, we have observed instances of, for example, bank statements being sent to individuals and being accessed with most of the time, a partial NRIC number. Usually, in what people receive, you need a password to access a file that is attached to an email. Although the email is already encrypted, for whatever reasons, these organisations still believe that it is necessary to attach another layer of access security for the document that is carried as part of the email. So, this process then involves, very often, using a combination of some other identifier, some other information, could be date of birth, combined with part of the NRIC number to access. The question has to be, is there really a need for authentication to begin with?

If you use the example that I have just raised, previously, before statements of this nature were sent by encrypted mail, it would have been mailed to our homes in a little envelope. That envelope does not need a special password for us to open up. So, the fact that some organisations have decided that they need a further layer of authentication in order to access that bank statement, firstly, we would invite the organisation to think through: do you really, really need it? So, that is one question.

If they still choose, for whatever services that they make available digitally to their clients or to their stakeholders, to require authentication, then, our advice to them is that the NRIC number is not a very good authenticator, they should not use it at all. So, that remains our advice.

As to the question of whether we will legally prohibit the use of NRIC numbers as authenticators, as I said, the practices for the private sector will have to be decided upon consultation. So, I do not want to say now, what the landing point is going to be. But even without a legal prohibition, I think if organisations care about their data security and they care about protecting the data that they have in their possession or the services being accessed by people who are not intended to enjoy the service, then they should really re-think the authentication methods.

Their customers ought to be sensitised to this too – that when the NRIC number is being used by an organisation as an authenticator, it is actually not safe at all. It goes to the Member's point that there are algorithms online that will allow you to work backwards, using the masked numbers to uncover the full number. Which is why we are advising our own public agencies to move away from the use of the masked numbers and not to give themselves that false sense of security.

The Member's question on, how about if you invented a new identifier that cannot be worked backwards from the partial identifier? I think my answer still stands. Whether you can work out or you cannot work out, the identifier is not meant to be a secret. It is not shared widely, but some people will know. For example, the persons whom you revealed it to at the clinic, the person that you revealed it to when making a mobile line application. If this person was determined to get hold of your identifier, the NRIC number in this case, or any other identifier that you use to access information and services that are not meant for them, they will do so. It comes back to the fundamental point, even if you cannot work out the full identifier from a partial identifier, as long as that identifier is used for the purposes of authentication or as password, you still have a problem.

I hope that explains our position and our thinking.

Ms Indranee Rajah: Mr Gerald Giam had a clarification on the difficulties encountered by users with respect to share transfer forms and annual returns on the new Bizfile portal. Can I just confirm with Mr Giam that that has nothing to do with the NRIC numbers issue? That is a separate topic, right?

Mr Gerald Giam Yean Song: Yes.

Ms Indranee Rajah: Okay, on that, I understand that there have been some initial issues with the new Bizfile portal. However, what ACRA has done is that they have given an extension of time to users who need to file the documents and they have also indicated that no late penalties will be imposed on people who have difficulties with filing. So, firstly, extension given; second, no penalty; and third, if anyone is having difficulty with their filing still, please do contact ACRA and their service personnel will assist. Their contact information is on the website.

Mr Gerald Giam Yean Song: How about the user acceptance testing? Was it done for the new Bizfile portal?

Ms Indranee Rajah: I do not have details on what kind of testing exactly was done, but what I think I can say with relative confidence is that some testing was done. The question on this specific testing, I do not have the answer to that. But anyway, anybody who is experiencing difficulty, please contact ACRA and they will assist you; and in the meantime, they are working to resolve any technical difficulties.

Mr Speaker: Assoc Prof Jamus Lim.

Assoc Prof Jamus Jerome Lim (Sengkang): Sir, very brief preamble for context. It is useful to reiterate the distinction, as acknowledged by Minister Teo, between an individual acknowledging that the NRIC number is neither a foolproof nor secure method for personal identification and, hence, may be desensitised; and the same individual consenting and being comfortable with their NRIC being released or broadly disseminated. Most Singaporeans will agree the former, but strongly disagree with the latter. My questions have to do with the implications of this distinction.

For Minister Teo, going forward, would the Government's policy of desensitising the NRIC number also lead to difficulties in the practical implementation of low-grade access restrictions, such as passwords for PDF documents, like she mentioned early on, that contain confidential, but not secret information. And relatedly, whether there have been any feasibility studies on what a widespread desensitised NRIC policy could mean for the day-to-day operation of businesses in our economy?

For Minister Indranee, if indeed it was within the Government's rights to release personal information on company directors, according to the ACRA Act, could this, then, deter individuals from being willing to take up directorships, especially for small and micro businesses where friends and family are often roped in as directors? And, if so, whether some kind of opt-out clause for deep, personal information, including address and NRIC number, beyond just the name, for directors for such small firms, would be possible? Because at least for smaller firms, these kind of deep due diligence may not be necessary.

Mrs Josephine Teo: Mr Speaker, two quick responses to Assoc Prof Jamus Lim.

First, I believe that his opening sentence in his preamble is erroneous. We did not say that the NRIC number is not suitable for identification. It is an identifier. It is a unique identifier. So, it has to be used for identification. It is authentication that it should not be used for. You can use it to identify a person. You cannot use the NRIC number to prove that the person is who he claims to be. I do appreciate that there is a lot to take on board, so, I would refer Assoc Prof Jamus Lim to the specific statements on this topic of drawing a distinction between the NRIC number as an identifier and as an authenticator, so that we could have a proper understanding of what it is.

The second response to his comments is that, I am not sure that it is useful to characterise what we are doing as desensitising. As I explained, we are not making a change to allow the full NRIC number to be widely disclosed. The only change that we are making is to stop the incorrect uses of NRIC numbers as authenticators and as passwords. Nowhere in this description is there a need to refer to desensitisation. I am not sure that that characterisation applies to what we are seeking to do and I would encourage Members not to use this characterisation.

To reiterate, we are not making a change to allow full NRIC numbers to become widely disclosed. The only change we are making is to stop incorrect uses of NRIC numbers as authenticators and as passwords.

Ms Indranee Rajah: Assoc Prof Jamus Lim asked whether the ability to make known NRIC numbers might deter individuals from taking up directorships and whether there can be some kind of opt-out clause. It is necessary to go back to first principles and the very basics of corporate governance.

The reason why you have information available is for corporate transparency. Why do you have corporate transparency? It is to protect the public. You must protect the public because anybody who sets up a business and transacts with the public, interfaces with a member of the public; and that member of the public transacting with you, may run into difficulties or issues and must then know whom they are dealing with.

Let us take an example that people can relate to – say, your home renovation. Most times, it could be a company or, say, a sole proprietorship. It is Mr Wong trading as General Renovations and the name card will say "General Renovations". You have no idea who the company "General Renovations" is. You will go to Bizfile, you will search "General Renovations" and you will find that it is Mr Wong trading as General Renovations. But there could be many other Mr Wongs as well. So, you need to know which Mr Wong it is, because if your renovations were not done properly and you need to claim a refund or sue him, for example, you need to know whom you are dealing with.

So, it is the essence of a business register or corporate register that you must know and be able to identify the specific individual or entity that you are dealing with. Hence, it is about looking at it through a different lens.

If anybody has a concern that they do not wish to have their NRIC number known and, for that reason, do not become a corporate director, that perhaps may be a step too far. But the bottom line is, in our regime, as well as in many other countries, if you are going to do business and transact with the public, the public has to know who you are and be able to contact you.

To the extent that we can make some concessions, we have done so. For example, under the last round of amendments, you can now put a separate contact address instead of your residential address. So, if somebody needed to sue you, they could leave the Writ of Summons at your office. They do not necessarily have to go to your residence. So, we have made some shifts, but on identification, there is no running away from the fact that you still need to be able to identify the individual you are dealing with.

Mr Speaker: Okay, we are approaching the end of time for the Ministerial Statements. Mr Leong, are you asking a clarification to the Minister's response, not a new clarification? Alright, I will allow that.

Mr Leong Mun Wai: Mr Speaker, Minister Indranee took credit for what I said in my preamble, but did not answer my questions. So, can I ask the question again: whether the circular was cleared by any political office holders and whether political office holders were giving directions when civil servants in ACRA and MDDI were clarifying with one another on the instruction in the circular?

Mr Speaker: That was not in your preamble, that was your question. Minister Indranee.

Ms Indranee Rajah: Mr Speaker, Sir, I first should clarify that I was not taking credit at all for Mr Leong's preamble. Mr Leong had actually made a couple of statements. I clarified that that was what he was saying and, far from taking credit, I thanked him for his position.

On the second question, I actually partially answered it, but I have checked. As far as I am aware, no political officeholders were involved in the circular minute or gave directions on it. But I also said just now that the Member should wait for the findings of the after-action review. This is as much as I know and I am not purporting to be the complete encyclopedia of everything that has happened because there is currently an ongoing review.

2.44 pm

Mr Speaker: Order. End of Ministerial Statements. The Clerk will now proceed to read the Orders of the day.