• 07 May, 2026
• No Comments

2026 Reminder: NRIC Numbers Should Not Be Used as Passwords

Organisations in Singapore should no longer treat NRIC numbers as a convenient way to verify a person’s identity or protect documents. The Personal Data Protection Commission (PDPC) and Cyber Security Agency of Singapore (CSA) have updated their joint advisory on authentication practices, with new guidance on alternatives to using NRIC numbers when sending or allowing access to electronic documents.

The full advisory can be found on the official PDPC page here: Updated Guidance on Authentication Alternatives when Sending or Accessing Electronic Documents.

What authentication actually means

Authentication is about confirming that a person is authorised to access a document, service, account, or record. This is different from simply identifying a person. An NRIC number may help distinguish one individual from another, but it should not be used as proof that the person is genuinely authorised.

NRIC numbers are permanent, widely used, and often already available to multiple organisations. Once exposed, they cannot be easily changed like a normal password.

Organisations must decide what level of authentication is needed

The updated guidance reinforces that organisations are responsible for deciding whether authentication is needed, and what level of authentication is appropriate. This should depend on the sensitivity of the information, the possible harm from unauthorised access, and the context in which the document or service is being provided.

A general notice may not require the same level of protection as a payslip, financial statement, medical record, resident record, or document containing sensitive personal data.

Stop using NRIC numbers as passwords

A key takeaway is that organisations should stop using NRIC numbers, whether full or partial, as passwords, default login credentials, or verification answers.

• Avoid using full or partial NRIC numbers as passwords.
  Organisations should stop using NRIC numbers as passwords, default login credentials, or verification answers. This includes the common practice of password-protecting electronic documents using the recipient’s NRIC number.
• Treat NRIC numbers as identifiers, not secret credentials.
  While using NRIC numbers may seem convenient, it creates a weak safeguard because NRIC numbers are not truly confidential. They may already be known to multiple parties and cannot be reset like ordinary passwords.

Safer alternatives for electronic documents

The updated advisory highlights several safer alternatives.

• Use a website or app with a user account.
  Organisations may provide access to documents through a secure website or app where users log in using their own account credentials. This is generally more suitable for recurring access or where the organisation already maintains a user portal.
• Use an expiring or single-use link with a unique password.
  For one-off access, organisations may use a link that expires or can only be used once, together with a unique password. This reduces the risk of long-term unauthorised access if the link is forwarded or exposed.

Use an emailed document with a unique password set by the organisation.
Organisations may still send password-protected documents by email, but the password should be unique and not based on the recipient’s NRIC number. The password should also be shared through an appropriate separate channel, where possible.

Why does this also matter beyond electronic documents?

Although the advisory focuses on electronic documents, the broader principle is still relevant to other business processes, including access control and verification in physical settings.

Knowing a person’s NRIC number should not automatically be treated as proof that the person is authorised to enter a restricted area, collect information, or act on someone else’s behalf.

What organisations should review next?

From a PDPA compliance perspective, this is not only a technical issue. It is also a governance issue. Organisations should review where NRIC numbers are currently used, update staff instructions, revise templates, and ensure vendors are not relying on NRIC-based authentication by default.

Privacy Ninja’s DPO-as-a-Service can support organisations by reviewing existing authentication practices, identifying risky use of NRIC numbers, updating internal policies, and guiding teams on practical alternatives aligned with PDPC expectations.

The message is clear: NRIC numbers should be treated as personal identifiers, not passwords.