Private organisations must cease use of NRIC numbers for authentication by 31 December 2026

26 February 2026

On 2 February 2026, the Personal Data Protection Commission (“PDPC”) announced that private organisations will have until 31 December 2026 to phase out the use of full or partial NRIC numbers for authentication, with PDPC set to step up enforcement action from 1 January 2027.

In addition, on 3 February 2026, the Ministry of Digital Development and Information (“MDDI”) issued a press release and a parliamentary reply on the responsible use of NRIC numbers across public and private sectors. MDDI noted that since January 2025, the Government has been working to ensure the responsible use of NRIC numbers across public and private sectors, including:

  • working with organisations to stop the use of NRIC numbers for authentication (i.e. to prove an individual is who they claim to be) in the private sector; and
  • moving away from using partial NRIC numbers for identification (i.e. tell people apart) in the public sector.

PDPC enforcement against misuse

Organisations that use NRIC numbers for authentication to access personal data may be found to have breached the Personal Data Protection Act 2012 for failing to make reasonable security arrangements to protect personal data. From 1 January 2027, PDPC may impose directions or financial penalties for such misuse. Organisations may also refer to PDPC’s latest advisory on good practices for protecting personal data, including NRIC numbers.

Stopping use of NRIC numbers for authentication

The Government is working with the private sector to stop the use of NRIC numbers for authentication. MDDI informs that the Government is also moving away from using partial NRIC numbers in progressive stages. Partial NRIC numbers are not a reliable method for identifying individuals as some individuals may share the same partial NRIC numbers, and there are instances where two individuals share both the same name and partial NRIC number.

Where there is no need to accurately identify someone, there will not be a need for NRIC numbers to be used at all. When there is a need to identify individuals accurately, such as in licences and employment letters, public agencies will progressively move to using full NRIC numbers instead.

Sectors phasing out use of NRIC numbers

The Infocomm Media Development Authority, the Monetary Authority of Singapore, and the Ministry of Health have also issued guidance to the telecommunications, finance and insurance, and healthcare sectors on ceasing the use of NRIC numbers for authentication within their sectors.

Most recently, on 2 February 2026, the Association of Banks Singapore (“ABS”) issued a brief statement noting that banks are committed to phasing out the use of NRIC numbers for authentication. Currently, NRIC numbers alone cannot be used to effect financial transactions like payments and funds transfers, where multi-factor authentication is used. Most banks no longer use NRIC numbers for authentication in non-transactional situations such as opening encrypted email attachments. Those that still do will transition to alternative authentication methods in the coming months.

Public consultation

In its parliamentary reply to a question on the progress made to ensure the appropriate use of NRIC numbers across both public and private sector transactions, MDDI stated that the Government will conduct a consultation prior to changing guidelines for the use of partial NRIC numbers.

Reference materials

The following materials are available on the PDPC website www.pdpc.gov.sg, the MDDI website www.mddi.gov.sg, and the ABS website www.abs.org.sg: