Unbelievable Facts about NRIC Check Digit Algorithm
What’s an NRIC check digit algorithm?
The NRIC Check Digit Algorithm is the compulsory identity document issued to citizens and permanent residents of Singapore. People must register for an NRIC within one year of attaining the age of 15 or upon becoming a citizen or permanent resident. Re-registrations are required for persons attaining the ages of 30 and 55 unless the person has been issued with an NRIC within ten years prior to the re-registration ages.
The National Registration Act of 1965 (last amendment in 2016) legislates the establishment of a national registry, as well as the issuance and usage of NRICs. The government agency responsible for the national registry and issuance of NRICs is the Immigration and Checkpoints Authority (ICA), a department under the Ministry of Home Affairs.
What is the NRIC check digit algorithm used for?
Many online voting, contests, giveaways, lucky draws, and account registrations on Singaporean websites require an NRIC check digit algorithm to participate. For example, game account registrations like AsiaSoft MapleStory, Audition, Online club memberships like NikonClub, ActiveSG, Shaw, Golden Village, etc.
Do note that if you create an online account, you have to remember the NRIC number that you use in case you need to reset the password or claim a prize.
How is the number generated?
The number is randomly generated. However, to make it valid, the random numbers are used to calculate the checksum (last character) using an algorithm described on the Wikipedia page. The algorithm changes accordingly if special rules like the starting letter or DOB are selected.
Is this legal?
The NRIC check digit algorithm’s validation is legal, as the algorithm is made public. This page serves to demonstrate that it is possible to do so. However, you should not use the NRIC check digit algorithm to impersonate anyone, as it is an offense.
By using this page to generate/copy NRIC/FIN numbers, you now agree to be responsible for your actions for the use of the numbers and waive all your rights to hold me liable for any problems arising from your actions.
Types of NRIC
- Pink for Singaporean citizens;
- Blue for permanent residents.
Each card is identified by an NRIC number (“Identity Card Number”), which is a unique set of nine alpha-numerics given to each citizen or PR. Biometric data are collected during card registration which includes the person’s left and right thumbprints as well as iris images.
Any change or error in the information on the card (apart from the change of address) must be reported within 28 days to ICA for a replacement card. A change of address does not require a replacement card but must be reported within 28 days to ICA or a neighborhood police center. A sticker showing the new address would be printed and pasted over the old address on the card.
What are Long Term Pass cards?
Since 2008, foreigners residing in Singapore on long-term passes have been issued green-colored poly-carbonate Long Term Pass cards, replacing the formerly issued green paper-laminated cards and stamp endorsement on travel documents.
Unlike the NRIC, all pass holders, regardless of age, must register for a Long Term Pass card, although fingerprinting is optional for people aged 6 to 14 and not applicable for children aged five and below. Employment-related passes and passes for family members of work pass holders are issued by the Ministry of Manpower (MOM). In contrast, the Immigration and Checkpoints Authority (ICA) issued student passes, and other long-term visit passes.
In addition to its use as identification and proof of immigration status in Singapore, the Long Term Pass card also facilitates travel to Singapore and acts as a visa for visa nationals. The Long Term Pass card is issued with a date of expiry, conditional on the cardholder holding a valid passport.
The structure of NRIC check digit algorithm
The structure of the NRIC number/FIN is @xxxxxxx#, where:@ is a letter that can be “S”, “T”, “F” or “G” depending on the status of the holder.
- Singapore citizens and permanent residents born before 1 January 2000 are assigned the letter “S”.
- Singapore citizens and permanent residents born on or after 1 January 2000 are assigned the letter “T”.
- Foreigners issued with long-term passes before 1 January 2000 are assigned the letter “F”.
- Foreigners issued with long-term passes on or after 1 January 2000 are assigned the letter “G”.
What are the offenses and penalties of NRIC?
There are a variety of offenses listed in the National Registration Act and its implementing legislation. These include:
- failure to register when required;
- giving a false address or failure to report a change of residence;
- possession of one or more identity cards without lawful authority or reasonable excuse;
- unlawfully depriving any person of an identity card;
- defacing, mutilation, or destruction of an identity card.
These offenses on conviction could result in a fine of up to $5,000 or imprisonment for a term not exceeding five years or both.
The Act also provides for the second category of offenses that carry more significant penalties of a fine of up to $10,000, imprisonment for up to 10 years, or both. These relate to offenses involving forgery or fraud in respect of an identity card.
Failure to comply with the NRIC regulations is an offense and, if convicted, could result in imprisonment for a term not exceeding two years or a fine not exceeding $3,000 or both.
What is the use of NRIC?
Holders of an NRIC are responsible for the card’s custody but are not required to carry the card on their person. Areas that will require NRICs to be verified include passports (immigration officers), polling stations (police officers), and those who undergo National Service in Singapore’s Armed Forces, police force, and civil defense force.
Notwithstanding this, if no identification can be produced, the police may detain suspicious individuals until such identification can be produced either in person or by proxy.
Production of an NRIC is also required for any person seeking accommodation at any hotel, boarding house, a hostel, or similar dwelling place and for any person offering to pawn an article at a pawnbroker. In the case of hotels, boarding houses, etc., if a person is not in possession of or fails to produce, an NRIC, the owner, manager, or other people in charge of such business must notify the nearest police station of the fact immediately.
The NRIC is also sometimes a required document for certain government procedures or in commercial transactions, such as the opening of a bank account. In addition, many businesses and other organizations in Singapore habitually request sight of an NRIC to verify the identity or to allow a person entry to premises by surrendering or exchanging it for an entry pass.
There is no legal requirement to produce the NRIC in these situations, and often either providing any other form of identification (such as a credit card, work, or office pass card with a photo on it) or simply providing an NRIC number (without producing the card itself) will suffice. From 1 September 2019, organizations can no longer request and store NRIC numbers for such purposes unless mandated by various laws.
Alternative data that businesses can collect instead of NRIC
PDPC does not prescribe the types of identifiers that organisations should employ in place of NRIC numbers. Organisations should consider the viability of alternatives to NRIC numbers depending on their specific business and operational needs.
Some alternatives that have been embraced by organizations include organization or user-generated ID, tracking number, organization-issued QR code, or monetary deposit. Organizations should also evaluate whether the options supplied are fair, and avoid collecting unnecessary personal data as an alternative to the individual’s NRIC number (or a duplicate of NRIC) (or a copy of NRIC).
Instances where the collection of NRIC is acceptable
In general, organizations are not permitted to collect, utilize, or disclose NRIC numbers (or copies of NRIC numbers). Where organizations are permitted to collect individuals’ NRIC numbers, they must nonetheless adhere to the PDPA’s data protection provisions. The PDPA’s Data Protection Provisions contain a number of requirements, which are discussed in detail in the PDPC’s Advisory Guidelines on PDPA Key Concepts (“Key Concepts Guidelines”).
They may do so only under the following conditions: a) The collection, use, or disclosure of NRIC numbers (or copies of NRIC numbers) is required by law (or an exception to the PDPA applies); or b) The collection, use, or disclosure of NRIC numbers (or copies of NRIC numbers) is necessary to accurately establish or verify the individuals’ identities with a high degree of fidelity.
Among other things, the PDPA requires organizations to design, execute, and routinely review policies and practices necessary to comply with the PDPA’s requirements.
The Consent, Notification, and Purpose Limitation obligations require organizations to inform an individual of the purposes for collecting, using, and disclosing his or her personal data, including his or her NRIC number, and to obtain his or her consent, unless otherwise required by law or an exception under the PDPA applies.
When an individual voluntarily contributes personal data to an organization for a specific purpose and it is reasonable for the individual to do so, the individual is presumed to consent to the collection, use, or disclosure of the personal data.
Also, drive home the point that your organisation’s DPO can help give advice on setting up proper data protection policies for your organisation.
How a DPO can help Organizations
A Data Protection Officer (DPO) oversees data protection responsibilities and ensures that organizations comply with the Personal Data Protection Act (PDPA). Every Organization’s DPO should be able to curb any instances of cyber threats and instances of data breaches as it is the officer responsible for maintaining the positive posture of an organization’s cybersecurity.
For instance, at Privacy Ninja, we randomly conduct simulated email phishing to clients to see if there are any vulnerabilities present that a bad actor can exploit and patch them to ensure that the client’s data will never leak.
A DPO is also the person responsible for developing and enforcing the Organization’s data protection policy and may seek assistance or guidance from other DPOs through DPO networks or organizations.
For years, the NRIC number has been used by both government and commercial organizations as an unambiguous and “tidy” identifier for Singaporeans. Full NRIC numbers have been listed to identify winners of lucky draws. It is possible to borrow books from the National Library Board simply by scanning the barcode on a borrower’s NRIC card at self-service kiosks without requiring further authentication. Such instances have led to questions of possible fraud and identity theft.
In response to such concerns, only the last three or four digits and the letters are publicly displayed or published as the first three digits can easily give away a person’s age. Tighter privacy advice to stop indiscriminate collection and storage of NRIC numbers was issued in September 2018 by the Personal Data Protection Commission. It also encouraged organizations to develop alternative methods to identify and verify individuals.