In brief
On 2 February 2026, Singapore's Personal Data Protection Commission (PDPC) announced that private organisations must cease using full or partial NRIC numbers for authentication by 31 December 2026. Beginning 1 January 2027, the PDPC will step up enforcement, including issuing directions or financial penalties for continued misuse.
This policy shift follows the June 2025 PDPC–CSA Joint Advisory clarifying that NRIC numbers must not be used as identity verification credentials.
Key takeaways
In essence, organisations must stop using NRIC numbers for authentication by 31 December 2026, as continued use from 1 January 2027 may result in PDPC directions or financial penalties. The requirements specifically prohibit the use of NRIC numbers as passwords, login IDs or default credentials, including combinations with easily guessed personal data. Organisations should therefore review and redesign their authentication flows and transition to secure alternatives, noting that continued use of NRIC-based authentication may amount to a breach of the PDPA's obligation to implement reasonable security arrangements.
In more detail
The PDPC has reiterated that authentication (proving a person's identity before granting access to services or information) is distinct from identification, where identifiers such as names or numbers are used merely to tell people apart. Using NRIC numbers for authentication has been deemed unsafe, as NRIC numbers are widely known and can be used by unauthorised parties to access personal data.
The PDPC has highlighted several non-compliant practices, including:
- Using full or partial NRIC numbers as passwords or login IDs
- Using NRIC numbers as default passwords for accounts or digital documents
- Combining NRIC numbers with easily obtainable personal information (e.g., names or birthdates) to form authentication credentials.
Government agencies have already transitioned away from using NRIC numbers for authentication, and sector regulators such as the Infocomm Media Development Authority (IMDA), the Monetary Authority of Singapore (MAS), and the Ministry of Health (MOH) have issued guidance to their sectors to cease NRIC-based authentication.
From a compliance standpoint, private organisations using NRIC numbers to authenticate access to personal data may be viewed as failing to implement reasonable security arrangements under the Personal Data Protection Act (PDPA). Organisations must therefore review and update authentication processes to ensure alignment with the strengthened requirements.
Recommended steps include moving away from NRIC-based credentials altogether and adopting stronger authentication methods such as multi-factor authentication, robust password standards, tokens or biometrics. Organisations should also update internal SOPs, onboarding processes and system configurations to remove any NRIC-based defaults, and ensure that third-party vendors or hosted platforms likewise do not rely on NRIC numbers in any authentication field.
* * * * *
Sanil Khatri, Daryl Seetoh, and Natalie Joy Huang, Local Principals, have contributed to this legal update.
© 2026 Baker & McKenzie. Wong & Leow. All rights reserved. Baker & McKenzie. Wong & Leow is incorporated with limited liability and is a member firm of Baker & McKenzie International, a global law firm with member law firms around the world. In accordance with the common terminology used in professional service organizations, reference to a "principal" means a person who is a partner, or equivalent, in such a law firm. Similarly, reference to an "office" means an office of any such law firm. This may qualify as "Attorney Advertising" requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.