Organisations to Cease the Use of NRIC Numbers for Authentication by 31 December 2026 – PDPC, 2 Feb 2026

Key Takeaways

1. Deadline set: Private organisations in Singapore must stop using NRIC numbers (full or partial) to authenticate users by 31 Dec 2026.

2. Why it matters: Using NRIC numbers as login credentials or default passwords exposes personal data and increases the risk of unauthorised access. Government agencies have already moved away from such practices.

3. Enforcement stepping up: From 1 Jan 2027, the Personal Data Protection Commission will step up enforcement, including issuing directions and financial penalties for continued misuse under the Personal Data Protection Act (PDPA).

4. Sector guidance: Other regulators (e.g., Infocomm Media Development Authority, Monetary Authority of Singapore, Ministry of Health) have issued related guidance on stopping NRIC-based authentication in their sectors.

️ Bottom line: NRIC numbers should not be used as authentication credentials — plan and implement safer alternatives before the end-2026 deadline.

Unsure of your organisation’s next steps?

Here’s practical action list organisations should take in response to the PDPC announcement:

1. Identify NRIC usage;
2. Stop NRIC-based authentication;
3. Implement safer alternatives;
4. Review third-party systems;
5. Update policies and SOPs;
6. Train staff;
7. Update customer communications; and 
8. Complete changes by the deadline.

If you require further assistance, please reach out to P2D Solutions at https://p2dsolutions.com.sg/contact/.

Further reference: https://www.pdpc.gov.sg/news-and-events/press-room/2026/01/organisations-to-cease-the-use-of-nric-numbers-for-authentication-by-31–december-2026

#PDPC #DataProtection #PDPA #P2DSolutions #NRIC #Privacy