• 24 July, 2025
• No Comments

Over 1,000 MyInfo-Linked Services and What They Mean for Your Data Privacy

As digital convenience continues to shape our daily lives in Singapore, more citizens are using MyInfo to simplify online interactions with banks, insurers, employers, and even dating apps. By linking their Singpass accounts to various third-party platforms, users can autofill their NRIC number, date of birth, marital status, and other personal information without having to key in details manually. The convenience is undeniable. But so too are the risks.

According to GovTech, the agency behind Singpass and MyInfo, more than 300,000 MyInfo transactions occur daily across over 1,000 digital services. While this high volume signals mass adoption and trust in government tech infrastructure, it also raises concerns about how much information users are freely handing over and to whom. In an era where data is power and where breaches and misuse are all too common, user awareness must keep pace with digital innovation. The more seamless our interactions become, the easier it is to forget what is at stake.

The rising popularity of MyInfo in the private sector

Initially developed to streamline government service delivery, MyInfo has since been embraced by the private sector as a fast, reliable method of verifying customer identity. Banks and insurance firms were among the first to incorporate MyInfo into their onboarding processes. More recently, non-traditional sectors such as dating platforms have joined in. Coffee Meets Bagel (CMB) uses Singpass verification through MyInfo to confirm user identities on its platform.

While the aim is to enhance safety, particularly in spaces prone to impersonation and fraud, it also means that highly sensitive data like NRIC numbers and marital status are being shared with companies outside of traditional financial or regulatory spaces. This expansion of use cases challenges the assumption that only core services need access to verified personal data. In reality, the boundaries of necessity are becoming blurred, often in ways the average user might not fully understand.

Oversight, consent, and the fine line between verification and over-collection

GovTech has publicly stated that organisations seeking to integrate MyInfo must submit a “user journey” that explains how the data will be used. Each request is reviewed on a case-by-case basis, and businesses are reminded not to collect more data than necessary. This aligns with the Personal Data Protection Act (PDPA), which mandates that personal data collection must be done appropriately and proportionately.

However, the level of due diligence exercised in approving such integrations remains opaque. GovTech has not disclosed what specific criteria are used to assess data requests, nor how potential over-collection is policed once access is granted. This leaves room for interpretation and, potentially, abuse. While the system is built on trust, its checks and balances may not be visible enough to reassure cautious users. Without transparency in how businesses are vetted or monitored, users are left to trust that all requests are both legitimate and essential.

The user’s role in safeguarding their own data

In this environment, individual users must take on a more active role in scrutinising what data they share, even when using a trusted government-backed system. Mr Josh Lee, managing director (Asia-Pacific) at the Future of Privacy Forum, advises that people should be more discerning before granting consent to share personal data. Consent, in theory, is only meaningful if it is informed. Yet in practice, many users click ‘allow’ without fully reviewing what they’re agreeing to.

This complacency can lead to unexpected consequences. As Hannah Yee-Fen Lim, Professor from Nanyang Technological University, points out, most users remain unaware of just how powerful modern data processing tools are. Data that seems innocuous when shared in isolation can become deeply revealing when aggregated, mined, or cross-referenced. For example, a user’s NRIC number, combined with their birth date and marital status, may be enough for bad actors to commit identity theft or phishing scams. Once shared, this data is difficult to retract, and the risks are long-lasting.

The need for clearer boundaries and stronger enforcement

The growing use of MyInfo in sectors such as dating apps presents an inflexion point in how Singapore manages data governance. While the PDPA provides a legal backbone, its enforcement relies on ongoing oversight, proactive audits, and public education. Companies integrating Singpass and MyInfo should be regularly audited to ensure they do not exceed their stated data use boundaries. Furthermore, users must be empowered with tools that allow them to view and manage their consent history across services.

Singapore has long positioned itself as a leader in smart nation initiatives. But a truly smart system is one that balances efficiency with ethics. Protecting user data does not mean compromising innovation. Rather, it requires frameworks that evolve alongside technology. Stronger guardrails around what constitutes “necessary” data, combined with better user-facing explanations, would go a long way in reinforcing trust.

Convenience with caution

The integration of MyInfo across both government and private digital services reflects Singapore’s commitment to a seamless and secure digital infrastructure. Yet the very success of this system necessitates greater vigilance from all stakeholders. Companies must exercise restraint and clarity in data requests. Regulators must enhance transparency around approvals and enforcement. And users must resist the temptation to equate government-linked platforms with blanket safety.

As organisations navigate the complexities of integrating services like MyInfo, partnering with experienced data protection specialists becomes increasingly critical. Providers such as Privacy Ninja help businesses implement rigorous data governance practices, reduce compliance risks, and stay aligned with evolving regulations. Our services include Data Protection Officer-as-a-Service (DPOaaS), Vulnerability Assessment and Penetration Testing (VAPT), Smart Contract Audits, and data breach management support.

By working with trusted partners, companies gain not just technical solutions but strategic guidance on how to build privacy into their systems and processes from the ground up. This proactive approach ensures that personal data is collected, used, and stored with both compliance and user trust in mind. As digital identity ecosystems continue to grow, these safeguards are not just helpful. They are absolutely necessary.