Ministerial Statement by SM Teo Chee Hean on the Review Into the Public Disclosure of Full NRIC Numbers on Bizfile People Search

With your permission, Mr Speaker, may I request the Clerks to distribute a handout to Members, which I will refer to during my Statement? Members may also access the handout through the MP@SGPARL App.

Sir, on 9 December last year, the Accounting and Corporate Regulatory Authority (or “ACRA” for short) launched its new Bizfile portal to replace its existing system. Like its predecessor, the new portal included a People Search function. This function allowed users to search for and select the individuals associated with registered business entities whose information they wished to access through the purchase of a People Profile. So, there is a People Search function and a People Profile function. The People Search function is generally available to anyone. The People Profile function sits behind a paywall.

But unlike the old Bizfile portal, which showed partial National Registration Identity Card (or “NRIC”) numbers in the People Search results, the new Bizfile portal displayed full NRIC numbers. This caused public anxiety about how easily full NRIC numbers could be searched for and accessed. Therefore, the People Search function was disabled on the night of 13 December 2024.

The Minister for Digital Development and Information, Mrs Josephine Teo, and the 2nd Minister for Finance, Ms Indranee Rajah, held a media conference on 19 December 2024, during which they apologised for the anxiety caused. They explained what had happened and the Government’s intent to change the existing practice of using partial NRIC numbers.

Ministers Josephine Teo and Indranee Rajah also made Ministerial Statements to this House on 8 January 2025 and responded to requests for clarifications from Members.

To thoroughly review the matter, the Prime Minister directed the Head of the Civil Service, to set up a Panel to:
a. review the Government’s policy on the responsible use of NRIC numbers where it pertained to the Bizfile portal;
b. Second, to determine what led to the Bizfile incident; and
c. identify learning points so that similar incidents do not recur.

The Panel also reviewed the design and implementation of the People Search function, and the response to the incident by ACRA and the Ministry of Digital Development and Information (or “MDDI”), from the time that public concerns arose on 12 December 2024 until the People Search function was disabled on 13 December 2024.

The Panel submitted its Report to me on 25 February 2025. I reviewed the Report, and reported to the Prime Minister that I had accepted its findings and recommendations. After studying the Report carefully, the Prime Minister agreed with its findings, its assessment of the shortcomings, and the learning points identified. He said that the Government would take the lessons to heart to improve the processes and strive to do better. He directed that the Report be released to the public and for the matter to be deliberated in Parliament. ACRA and MDDI have also accepted the findings and released separate media statements on their follow-up actions.

So, Honourable Members would have had the opportunity to study the Report which was made public on 3 March 2025.

Incorrect Uses of NRIC Numbers

Sir, before we turn to the Panel’s findings, I will briefly summarise the issues regarding the use of full and partial NRIC numbers. This is set out on the first page of the handout, which is the Annex to the Panel’s Report.

Minister Josephine Teo had addressed these issues in her Ministerial Statement on 8 January 2025.

So, allow me to recap these issues briefly.

The NRIC number allows the individual to be referred to uniquely and definitively.

It is important to definitively refer to an individual by using the full NRIC number when required by law, and for other purposes, such as for medical procedures and business transactions.

However, the NRIC number had also become used by some organisations not just to definitively refer to the individual, but also based just on the NRIC number, to carry out important and sensitive actions. The use of the NRIC number in this way is unsafe, because the person’s NRIC number is likely to be already known to other persons or organisations.

Some organisations and people had also come to assume that the use of partial NRIC numbers means that the full NRIC number is thereby concealed and protected. Sir, with the availability of online algorithms, it is now easier and faster to work out full NRIC numbers from the partial NRIC numbers.

The use of partial NRIC numbers, therefore, neither meets the need to have a definitive way of referring uniquely to an individual, nor does it offer effective protection from the full NRIC number becoming known.

To address these issues, the former Smart Nation and Digital Government Office, now part of MDDI, commenced a policy review in 2022. The review determined that we should take steps to stop the incorrect use of NRIC numbers for authentication and also move organisations away from the use of partial NRIC numbers. This would allow NRIC numbers to be returned to their proper use as unique identifiers.

The Ministers overseeing SNDGO were responsible for deciding the policy direction on the use of NRIC numbers. The Ministers endorsed the policy intent of returning NRIC numbers to their proper use as unique identifiers, and the broad implementation approach to do so.

The Permanent Secretaries of SNDGO (and subsequently MDDI) had overall responsibility for the implementation plans in accordance with the guidance from the Ministers. SNDGO (and subsequently MDDI) knew the transition would take time and planned for the public sector to take the lead on both (a) stopping the use of NRIC numbers for authentication and (b) moving away from the use of partial NRIC numbers. It also started developing plans for public education and private sector engagements on the proper use of NRIC numbers and the risks of using partial NRIC numbers.

Sequence of Events

So, with that background, I refer Members to the second page of the handout, which is on the timeline of key events. The full listing is in the table in the Report. Briefly, the key facts are as follows:

SNDGO had planned for the public sector to move first in a phased approach. On 5 July 2024, MDDI issued a Circular Minute (or “CM”) to public agencies to stop the use of NRIC numbers for authentication, and to start moving away from the use of partial NRIC numbers. MDDI conducted a briefing on 16 July 2024 for agencies (including ACRA) on the CM and answered their questions on it. The video recording of the briefing and MDDI’s responses to agencies’ Frequently Asked Questions were disseminated to agencies the next day. ACRA subsequently sought clarification via email from MDDI on how the CM applied to the display of NRIC numbers in the search results of People Search in the new Bizfile portal.

However, communications between the two sides were not clear. ACRA misunderstood MDDI’s instruction in the July 2024 CM for agencies to “immediately cease any planned use of masked NRIC numbers, for example, in new business processes or digital products”. ACRA interpreted this as a requirement to “unmask” or disclose NRIC numbers in full in the People Search function on the new Bizfile portal.

However, MDDI had intended that agencies could continue to use partial NRIC numbers for their existing external-facing use cases, but were not to introduce new use cases of partial NRIC numbers. To MDDI, ACRA’s Bizfile People Search function was considered an existing use case because it was a service that was already existing in the old portal.

MDDI had also assumed that when agencies stopped using partial NRIC numbers, they would consider if NRIC numbers remained even necessary for those use cases. This would be in line with existing requirements under the Government’s Instruction Manual on Information Communications Technology & Smart Systems Management (or “IM8” for short).

Based on ACRA’s interpretation of the July 2024 CM, ACRA then instructed its IT vendor on 17 August 2024 to make the requisite system changes to display NRIC numbers in full in the People Search function on the new Bizfile portal, which was then launched on 9 December 2024.

Panel’s Findings

Sir, I will now move to the Panel’s findings, which are summarised in the third page of the handout. The Panel found that a confluence of several shortcomings on the part of both MDDI and ACRA, and how they had interacted with each other on this issue, led to the incident.

First, the Panel found that MDDI should have been clearer in its policy communications in its July 2024 CM. MDDI and ACRA staff did not realise that ACRA had misunderstood how the July 2024 CM applied to the new Bizfile portal. Specifically, MDDI should have explained key terms and phrases in the CM more clearly. Although MDDI did make efforts to brief agencies on the requirements of the July 2024 CM and disseminated the video recording of the briefing as well as the FAQs to them, the relevant documents were not appended to the CM. So, if one referred to the CM, one would not have seen the other clarifications arising from the session that MDDI had with the agencies.

Second, there were internal shortcomings within ACRA in sharing and acting on the information from MDDI on the July 2024 CM. The FAQs mentioned earlier were not properly disseminated within ACRA by the officers who had attended the briefing and the officers who received the video and email of what had happened. This contributed to ACRA’s continued misinterpretation of the July 2024 CM and resulted in them making decisions based on incomplete information. These FAQs would, for example, have alerted ACRA that stopping the use of partial NRIC numbers did not mean showing full NRIC numbers in every case, and agencies could decide to drop the use of NRIC numbers altogether.

Third, the Panel found that MDDI should have paid more attention to the implementation plan for new use cases of partial NRIC numbers that were more complex, such as public registries. The Panel found that, in directing agencies to stop new use cases of partial NRIC numbers, MDDI did not differentiate between simpler use cases, like one-to-one correspondence between public agencies and members of the public, and more complex use cases, like public registries which could potentially disclose a large amount of data to third parties performing searches. ACRA, as the national business registry of Singapore, is one such public registry. One of ACRA’s functions is to provide public access to certain information in the registry, so as to maintain corporate transparency. The standard approach for public registries is to have safeguards, such as a paywall, so that as far as possible, access to the needed information from the registry is available only to users for whom the service is intended. But there is also often a search function for the registry, before these safeguards, which is open to everyone, to narrow down the information in the registry which the user wishes to access; and agencies have to determine how much to reveal when someone performs a search without having to go through safeguards such as a paywall for the information. For such complex use cases, additional guidance from MDDI would have helped agencies decide whether disclosing full NRIC numbers was necessary, and if so, determine what safeguards should be put in place.

Fourth, in deciding to disclose full NRIC numbers in People Search, ACRA did not first assess the proper balance between sharing full NRIC numbers and ensuring that they were not too readily accessible on the People Search function. This contravened the Government’s internal rules on data management, namely, IM8, which ACRA was required to comply with under the Public Sector (Governance) Act (or “PSGA” for short).

Sir, ACRA’s frame of mind when interpreting the July 2024 CM was influenced by its discussions with MDDI five months earlier in February 2024. In February 2024, five months earlier, ACRA had planned a change to its People Profile function, the part after the paywall, to only provide partial NRIC numbers, instead of the full NRIC numbers which it had all along been providing. At that time, SNDGO had advised ACRA on the wider move towards stopping public agencies from using partial NRIC numbers. So, this was in February. Bizfile users had also given feedback to ACRA that full NRIC numbers were needed for corporate transparency. So, in view of this feedback, and ACRA’s exchange with SNDGO, ACRA decided to continue providing the full NRIC numbers in the People Profile function instead of making its proposed change to partial NRIC numbers. So, this is the People Profile function, which is after the paywall, and these were events and discussions in February, five months before the events that occurred. This exchange with SNDGO in February, gave ACRA the impression that the policy intent was to “unmask” all partial NRIC numbers (which was not the case). But that was ACRA’s frame of mind when interpreting how the July 2024 CM should be applied to the People Search function in the new Bizfile portal, specifically whether to continue providing partial NRIC numbers, or to change to providing full NRIC numbers instead, to the part before the paywall.

Nonetheless, even if ACRA was under the mistaken impression that the July 2024 CM required them to disclose full NRIC numbers in People Search, ACRA ought to still have, as required by IM8, assessed the proper balance between the public interest in sharing full NRIC numbers, which was to promote corporate transparency; and the competing public interest in ensuring that full NRIC numbers were not too readily accessible.

The Panel found that the design of the People Search function of the new Bizfile portal made individuals’ NRIC numbers too easily available to those who were improperly using the People Search function in a way that went beyond its intended purpose.

Fifth, the review found that certain security features for the People Search function were not adequately implemented for the new Bizfile portal.

ACRA had required its IT vendor to implement various security features in the People Search function of the new Bizfile portal to protect against unintended uses by, for instance, limiting the extent of searches allowed. However, certain security features were not adequately implemented when the new Bizfile portal was launched on 9 December 2024. After displaying the People Search function, ACRA requested that the Government Technology Agency review the security features of the People Search function. So, this was after the fact, after the People Search function was already launched. This review found that some security features, including the CAPTCHA functionality, were not adequately implemented, allowing potential data retrieval using scripts from 9 to 13 December 2024.

These security issues were rectified by the vendor in the revised People Search function before it resumed service on 28 December 2024.

ACRA is following up with the vendor and considering all its available options. Without prejudice to any such options, the Panel noted that ACRA remains ultimately accountable for the implementation of the People Search function, even though it had contracted this to its vendor.

The sixth and last finding of the Panel was that the incident management after public concerns on the Bizfile portal surfaced on 12 December 2024 should have been better.

Upon receiving the public feedback, ACRA and MDDI should have ascertained more quickly the key facts of how the Bizfile incident happened, and ACRA should have disabled the People Search function sooner. Doing so would have addressed public concerns in a more timely manner.

The public communications and response to public concerns should also have been better coordinated and clearer. And in hindsight, the Government should have made clear to the public at the outset that moving away from the use of partial NRIC numbers did not automatically mean using full NRIC numbers in every case, or disclosing them on a large scale.

The Panel noted that the incident took place before MDDI had begun public education and engagement on the proper use of NRIC numbers as a unique identifier. If you recall, the implementation of this was in the public sector and the engagement of the private sector had not begun yet. This exacerbated public concerns when full NRIC numbers were easily searchable and accessible in the People Search function, since many members of the public would not have been familiar with the issues associated with the use of NRIC numbers. The Panel was of the view that it would have been better for MDDI to have embarked on public education and engagement earlier than what it had planned.

Mr Speaker Sir, the details of the Panel’s findings are in the Report. Having reviewed it, I agree with the findings. I would like to thank the Panel for their thorough work on this matter. As I had stated earlier, ACRA and MDDI have both accepted the Panel’s findings and are following up to address the issues identified, as set out in their respective media statements.

Beyond the agencies involved, this incident offers valuable and important lessons for the wider Public Service. To meet challenging and changing circumstances, new challenges, the Public Service will need to continually update its policies and practices. Some of these changes will not be straightforward. How we communicate and implement them will be critical. The Bizfile incident demonstrates that close coordination and careful attention to detail are required. Sometimes it is a single issue, but at other times, it can be a confluence of factors, that can lead to such incidents. The lessons that the Panel has identified will be disseminated across the whole of the Public Service. Agencies are expected to take them on board and apply them to their work to avoid similar incidents from recurring.

Accountability

Sir, beyond learning lessons, accountability is important as well.

The political office holders overseeing ACRA as well as the Smart Nation work in MDDI have overall responsibility for the organisations under their charge – and this is regardless of whether they had specific or direct responsibility for the actions that led to the shortcomings that occurred. Both Ministers Josephine Teo and Indranee Rajah have publicly accepted this overall responsibility and also apologised for what has happened.

At the Public Service level, the Permanent Secretaries of SNDGO (and subsequently MDDI) were responsible for implementing the policy. The Chief Executive of ACRA was responsible for the new Bizfile portal’s design and implementation.

While the Panel did not find any evidence of deliberate wrongdoing or wilful inaction by the ACRA and MDDI officers involved in this incident, the shortcomings identified, including ACRA’s contravention of IM8, should have been avoided.

Mr Speaker Sir, I should make clear that this Review Panel was not a disciplinary process. While the Panel’s Report serves as a reference, any disciplinary action, if warranted, in relation to individual officers will need to be conducted in accordance with the applicable frameworks and processes in the respective public agencies involved. And this is only proper.

The Public Service Division, MDDI and ACRA have taken into account the findings of the Panel, and have thus reviewed the roles, responsibilities and actions of the relevant officers involved in the shortcomings highlighted in the Report. These officers include those whose actions contributed directly to the shortcomings, as well as senior management who were responsible for providing oversight and guidance to the officers, and are responsible for the proper functioning of their organisations. The agencies have assessed that while there was no malicious or wilful wrongdoing by the officers, there were inadequacies in their judgement and actions. And appropriate measures are being taken against them. These measures range from counselling to retraining to reductions in performance grade, which will carry financial consequences such as a reduction in their performance-based payments.

As for ACRA’s contravention of IM8, the PSGA does not prescribe financial penalties for public agencies that contravene IM8. And there’s a good reason for that. The cost of any financial penalties would ultimately have to be borne by the public purse, if you impose a financial penalty on a public agency. Therefore, such penalties would not be meaningful. Instead, as I have stated, the necessary actions will be taken against the officers responsible. The PSGA is designed with that in mind. The Ministers overseeing ACRA and the Smart Nation work in MDDI had overall responsibility for the organisations under their charge, and the PM will take into account this incident in his evaluation of the Ministers.

Conclusion

Mr Speaker Sir, the Public Service holds its officers to a high standard of conduct and excellence. Singaporeans deserve and expect this. Given the range and complexity of public services, from time to time, mistakes will be made. If there is misconduct or malicious intent, we will deal with it severely and those involved will be punished. Where there had been no malicious or wilful wrongdoing, due consideration should be given to whether the officers had acted in good faith when we decide on what action to take.

And most importantly, the lessons arising from the incident must be learnt and internalised, not only by the officers involved or their agencies, but by the Public Service as a whole, so that they are not repeated.

Mr Speaker Sir, trust in the Public Service is essential. Maintaining that trust is therefore central to how we operate. When things go wrong, we are upfront with Singaporeans on where we have fallen short. We conduct thorough reviews and make improvements to our systems and processes to serve Singaporeans better while remaining fair to our officers. Sir, this recent incident, while regrettable, demonstrates the Government’s commitment to continuous improvement, to uphold the trust Singaporeans have placed in the Government and the Public Service.

Sir, I will be happy to take any clarifications.

Mr Speaker, I thank Members for seeking clarifications and the many useful points that they have made.

Let me close by making a few final points.

The Government has conducted a thorough review over two months on what had happened, why they happened, and how we can improve. The Report has been released publicly and has been thoroughly discussed today in this House. I thank members for seeking these clarifications because it also helps to communicate to the public why we are doing what we are doing.

Taking reference from the shortcomings identified by the Panel, PSD, MDDI, and ACRA have followed up to review the actions and responsibilities of the officers involved in relation to the Bizfile incident. And this includes both senior officers and leaders of organisations, as well as officers who are directly responsible. But as I said, and I thank Members for their support, we will deal with them fairly.

The lessons learned, which the Panel had identified, are also being disseminated across the whole of the Public Service, so that agencies can take these on board and ensure that similar incidents do not recur.

Mr Speaker, even though the process and findings of the review may cause the Government discomfort, and even some embarrassment, we have gone about this openly and transparently. And I am glad that Members from both sides of the House agree with this. This is so that the Government can account to the public and demonstrate its commitment to rectify shortcomings and serve the people better.

This has been and will continue to be the Government’s approach when mistakes are made or shortcomings are identified from time to time. It is an approach that this Government is determined to continue. It is a key pillar of good governance, and for the good of Singapore and our people. Thank you Sir.