REACH (Telegram) 51 - What do you think of the Government’s position that NRICs remain personal data, and should be collected and used only when necessary? What more could be done to strengthen personal data protection?

(SK)

09 Jan 2025 (10am - 7pm)

REACH (Telegram)

REACH Singapore, [9/1/2025 10:33 AM]

Dear Contributors,

Welcome back! 😊

⏰ We will be opening the chat from 10.45am to 7pm today. ⏰

House Rules (short version of our Terms of Use) to keep in mind:

1. Be kind and respectful. We all want to be in a safe space to share our views. 

2. Any and all threatening, abusive, vulgar or racially, religiously and ethnically objectionable content is prohibited. 

3. Consider the quiet ones among us and give them a chance to comment. 

4. No need to repeat your comment or in differnet forms (including caps) - we heard you loud and clear the first time. 

5. Let's protect each other's privacy and keep contact details in this group what it should always be - confidential. 

Full set of Terms of Use: https://www.reach.gov.sg/Participate/reach-telegram-group/REACH-Telegram-Group-Chat-Terms-of-Use/

We will strive to uphold these rules to ensure this is a safe space for all. 

Please be assured that the points made by participants during the chat are aggregated and shared with relevant agencies. 

The topic will be posted shortly. 

Thank you. 

Megan 😊

REACH Singapore, [9/1/2025 10:46 AM]

🔉 TOPIC 🔈

In Parliament on Jan 8, Digital Development and Information Minister Josephine Teo and Second Finance Minister Indranee Rajah addressed questions related to NRIC and the ACRA incident.

Min Teo addressed the Government's intent to change the practice of masking NRIC numbers and how the Government intended to stop some "incorrect uses" of the NRIC number today, as well as what private sector organisations should do.

Min Indranee elaborated on what happened after news of the disclosure of NRIC numbers on the Bizfile portal broke, and ACRA's next actions.

💭 What do you think of the Government’s position that NRICs remain personal data, and should be collected and used only when necessary? What more could be done to strengthen personal data protection?

📌 Incorrect use of the NRIC number

NRIC numbers remain a form of personal data, and should be collected and used only when necessary. Organisations that collect NRIC numbers have a duty of care, and must notify and seek consent on the use of the data and protect it, said Min Teo. 

Min Teo also said that NRIC numbers are a means to identify individuals but some organisations have wrongly used the numbers as a means of authentication--which assumes that a person is who he claims to be simply because he can cite an NRIC number.

Another example is when organisations collect and use partial or masked NRIC numbers. However, continuing this would give Singaporeans a "false sense of security," said Min Teo, as algorithms that can guess or work out full NRIC numbers are now available online. If people think that their full NRIC number is still secret and use it as a password or authenticator, the risk of scams or identity theft will rise, she added.

📌 Next steps for the private sector

Private sector organisations that are using NRIC numbers as authentication factors or default passwords should stop this practice as soon as possible, Min Teo.

 Min Teo also said that private sector organisations that now collect partial NRIC numbers to identify people can continue to do so. "The guidelines for the private sector have not yet changed and we will only consider how they should be updated after consulting the public", she added.

📌 ACRA's new Bizfile Portal

More than 500,000 searches were made on a Government business filing website over five days in December after news emerged that people's names and full National Registration Identity Card (NRIC) numbers could be found.

This was much higher than the usual 2,000 to 3,000 daily queries made on the ACRA Bizfile website, said Min Indranee.

However, authorities are unable to identify the exact number of NRIC numbers disclosed as the Bizfile portal is not configured to track individual queries, Ms Indranee said in a ministerial statement delivered.

“Thus far, we have not uncovered any known threat actors based on the IP addresses that were used to make the people search queries between Dec 9 and 13.”

The minister also stressed that ACRA’s database does not contain the information of all Singapore citizens.

📌 Review Panel

A review panel, led by the Head of Civil Service Leo Yip and reporting to Senior Minister Teo Chee Hean, has been set up.

Min Indranee said the panel will review the Government’s policy on the responsible use of NRIC numbers and the disclosure of full NRIC numbers on ACRA’s Bizfile portal.

The panel expects to complete its review in February and will share its findings thereafter.

🔗 [ST] https://str.sg/knvd

📎 [CNA] https://www.channelnewsasia.com/singapore/acra-bizfile-nric-numbers-unmasked-josephine-teo-mddi-4844761

📎 [CNA] https://www.channelnewsasia.com/singapore/more-500000-searches-acra-bizfile-portal-dec-9-13-nric-indranee-4844871

----

G, [9/1/2025 11:09 AM]

"More than 500,000 searches were made on a Government business filing website over five days in December after news emerged that people's names and full National Registration Identity Card (NRIC) numbers could be found.

This was much higher than the usual 2,000 to 3,000 daily queries made on the ACRA Bizfile website, said Min Indranee.

However, authorities are unable to identify the exact number of NRIC numbers disclosed as the Bizfile portal is not configured to track individual queries, Ms Indranee said in a ministerial statement delivered."

CNA also reported:

"The website's updated search function was launched on Dec 9 and most of the queries were made on Dec 13, the day after news of the NRIC numbers broke." 

"The minister also noted that a security feature designed to distinguish between human users and computer bots in the portal’s search function “was not working as intended”, following a security review by ACRA and GovTech."

So means what.. lots of data kena mined by bots and assumed leaked already right?

LCL (Danny 心), [9/1/2025 11:15 AM]

心法:

327. I post in REACH (Telegram) LCL (Danny 心), [8/1/2025 2:40 PM]:-

1. So in my opinion, as long as human heart and mindset don't change, regardless of how much effort put in by government to curb job discrimination - business still have a way to circumvent it.

2. Changing the heart and mindset will be more effective than focusing on policies alone.

Because no amount of policies or legislation can monitor or change a business conduct, if people's minds and heart don't change. 

(阳奉阴违 will be the outcome.) (Disguise form of conforming, but hidden ways of discriminating acts to avoid penalty).

3. As long as profit maximization and KPI remain the core principle for top management or bosses - job discrimination cannot be eradicated.

4. It begins with the bosses and top management heart and mind.

（要重組，要转型 - 从“心”开始）.

----

CNA news 08 Jan 2025 08:49PM

The manpower ministry said that while there is now legal recourse for workplace discrimination, it will still take an “education-first approach” to cultivate the right mindsets among employers and workers.

****

1. See, even the Minister concur and share the view that no amount of legislation and guidelines can curb age discrimination.

2. Only "education-first approach" to cultivate the right mindsets among the employers and workers will work.

3. Changing the heart and mind of people is the only way that can uproot unhealthy practice.

从”心”开始。

Daniel, [9/1/2025 11:16 AM]

I think that is not today's topic

LCL (Danny 心), [9/1/2025 11:17 AM]

4. So even young bosses and top management will grow old one day.

If their mindset don't change - next time it will be their turn.

风水轮流转。

5. This will be a powerful message to transform the young bosses and top management mindsets.

LCL (Danny 心), [9/1/2025 11:18 AM]

Is there any information that the data has been mine by bots?

Or is it just an assumption not supported by proof?

REACH Singapore, [9/1/2025 11:22 AM]

[ Poll : I am satisfied with the government's latest statements and follow-ups on the NRIC issue (Please share your views in the chats.) ]

- Yes

- Neutral

- No

G, [9/1/2025 11:22 AM]

Where's the proof that's it's not mined by bots?

LCL (Danny 心), [9/1/2025 11:24 AM]

Simple.

If you can explain in technical terms how to detect bots operate and how to detect a legitimate device access the website - before jumping into conclusion.

LCL (Danny 心), [9/1/2025 11:36 AM]

1. “Thus far, we have not uncovered any known threat actors based on the IP addresses that were used to make the people search queries between Dec 9 and 13.”

2. The searches came from an estimated 28,000 Internet Protocol (IP) addresses, most of which were from Singapore. 

These are 2 big clues that legitimate devices access the website and not bots even though a high volume of 500,000 search are made by 28,000 IP addresses.

I just make 2 searches yesterday.

And my IP address will be one of them that have conducted the 2 searches.

LCL (Danny 心), [9/1/2025 11:43 AM]

1. A security feature to distinguish between a bot and legitimate device not functioning doesn't mean a bot cannot be detected.

2. There are 7 layers in an OSI model.

3. It means the app layer the 7th layer, apps layer are not working to detect the bots.

4. But there are other layers like 3rd layer and 2nd layer eg. IP address and Mac layer to detect whether bots are used.

5. Bots are usually exploited by very skillful hackers who have very strong computer science proficiencies - to hack and take over IP devices, write programming code and do a mass attack from many compromise IP devices all over the world to access the website.

6. It could even be a State hacker if bots are used because hackers will need to crack and hack many password protected ioT devices to download malware as bots into the compromised devices such as routers, IP camera, IP CCTV, servers, PCs, smartphones, any many other IP based devices or ioT remotely and then launch a massive attack on ACRA website.

7. Even if ACRA apps to detect bots fail - there are many mechanism in Telcos, CSA SIEMS and ACRA security and network devices that can detect a bot attack.

The Minister statement imply this - did not uncovered any known threat actors.

And most of the IP address come from Singapore - means public IP address are registered and issued by the Telcos through DHCP or static IP addresses traced to legitimate users.

G, [9/1/2025 11:44 AM]

"More than 500,000 searches were made on a Government business filing website over five days in December after news emerged that people's names and full National Registration Identity Card (NRIC) numbers could be found.

This was much higher than the usual 2,000 to 3,000 daily queries made on the ACRA Bizfile website, said Min Indranee.

CNA also reported:

"The website's updated search function was launched on Dec 9 and most of the queries were made on Dec 13, the day after news of the NRIC numbers broke." 

"The minister also noted that a security feature designed to distinguish between human users and computer bots in the portal’s search function “was not working as intended”, following a security review by ACRA and GovTech."

Since you like to ask others to figure it out for themselves.. you go figure it out yourself

😂

G, [9/1/2025 11:45 AM]

A bot running from your computer has no IP address?

LCL (Danny 心), [9/1/2025 11:45 AM]

That is why you only read the face value facts without understanding the underlying mechanism how it works - and quickly jump into conclusion.

LCL (Danny 心), [9/1/2025 11:47 AM]

Explain how IP address and Mac are assigned and how are they detected - by bots and legitimate devices.

Then convince everyone here.

G, [9/1/2025 11:48 AM]

I don't see why I have to adhere to your standard when you don't adhere to your own

LCL (Danny 心), [9/1/2025 11:49 AM]

Hahaha.

Any computer science or network professionals in the forum to explain to this gentleman how bots and legitimate devices work in a network?

G, [9/1/2025 11:54 AM]

Very disappointing that JT side stepped and didn't answer GG's query on whether govt agencies and organisations will be legally prohibited from using NRICs as authenticators, instead repeating her broken record on private sector

"Pointing out that large, regulated organisations such as insurers were reportedly still using NRIC numbers as default passwords, MP Gerald Giam (WP-Aljunied) asked if the government will legally prohibit government agencies and organisations from using NRIC numbers as authenticators and do so by a certain deadline.

In response, Mrs Teo said the practices for the private sector will have to be decided upon consultation."

https://www.channelnewsasia.com/singapore/nric-unmasking-opposition-mps-wp-psp-acra-bizfile-portal-compensation-4845286

G, [9/1/2025 11:57 AM]

This whole saga looks, sounds, and feels like govt made mistake. But when pointed out, they turn around and blame citizens for having incorrect understanding of NRIC usage

Fine gaslighting

LCL (Danny 心), [9/1/2025 12:00 PM]

WP MP Gerald Giam is a IT manager.

He would be able to understand the Minister statement if indeed bots are attacking the website or legitimate devices are accessing the website.

Evidently, Gerald Giam didn't suggest bots are attacking the website.

Also if there are indications that bots are attacking the website - MHA, CSA and police will have taken up the case to investigate as this will be a cyberattack on a government website.

Any indication of that?

LCL (Danny 心), [9/1/2025 12:38 PM]

1. Because ACRA come under MOF - and should be categorise as a CII (Critical Information Infrastructure).

2. So it should be monitored by CSA SIEMS for any sign or indication of cyberattack.

3. Looking at the news, CSA didn't raise an alert that bots are in the work or showing signs of a DDoS (Distributed Denial of Service) attack have taken place.

4. Hence another clue that legitimate devices are accessing the ACRA website, not the work of DDoS bots.

G, [9/1/2025 12:41 PM]

"One of the Block 386 residents said People's Action Party volunteers knocked on his door on Jan 4 and advised him to keep his door closed.

“There were two women from PAP who knocked on my door and they told me the opposition party was here to 'disturb',” he told The New Paper.

"They told me to ignore knocks from PSP members and keep my door closed.

“It's my first time seeing this type of behaviour and I find it childish.”"

https://tnp.straitstimes.com/news/singapore/bukit-gombak-residents-call-pap-psp-spat-childish-boh-liao

Jun Ming, [9/1/2025 1:14 PM]

So it means they cannot actually distinguished if it is bots or real search of nric

LCL (Danny 心), [9/1/2025 1:17 PM]

Using apps that wasn't functioning at that time, couldn't. Eg. Captcha.

But through other means - can.

Later I will explain how digital forensics are done to determine whether it is a bot or legitimate users.

But it will be very technical.

Jun Ming, [9/1/2025 1:18 PM]

Ok. So they have come to a conclusion bots are involved in majority searches?

LCL (Danny 心), [9/1/2025 1:18 PM]

They say they will review.

But the preliminary investigation does not show the sign of a bot.

LCL (Danny 心), [9/1/2025 1:19 PM]

Later when I explain you will understand.

LCL (Danny 心), [9/1/2025 1:21 PM]

But don't be misled by the high search rate.

I could have easily perform 10 searches in one access to the ACRA website.

Though I say 2 searches yesterday, but more than 10 results come out.

So it could be 20 searches.

I don't know how ACRA website tabulate the search results.

My physical search are 2 but result are 20 searches.

Jun Ming, [9/1/2025 1:22 PM]

Oh

G, [9/1/2025 1:22 PM]

Confusing "searches" with "search results"?

LCL (Danny 心), [9/1/2025 1:23 PM]

Go to do the search if you want to know what I mean.

G, [9/1/2025 1:23 PM]

Here say 500,000 searches

G, [9/1/2025 1:24 PM]

Your comment try to equate "searches" with "search results"

LCL (Danny 心), [9/1/2025 1:25 PM]

Sigh....

Not answering.

G, [9/1/2025 1:25 PM]

So be misled with this attempt?

Jun Ming, [9/1/2025 1:26 PM]

Regardless there will be 500000 data being revealed

G, [9/1/2025 1:26 PM]

Are you saying minister trying to mislead by saying "500,000 searches"?

LCL (Danny 心), [9/1/2025 1:26 PM]

Yes.

I will spend time responding to your more intelligent questions later.

G, [9/1/2025 1:29 PM]

Assumes 1 result per search

But according to @DannyCIN, he say 2 search, with 10 results = 20 searches. 

According to his formula, if 500,000 searches have 10 results, = 5,000,000 searches

RY, [9/1/2025 1:55 PM]

If I rem correctly, they did hold a press conf and ACRA did apologise to the public

RY, [9/1/2025 1:59 PM]

There is mis-communication/mis-understanding in the govt directives to ACRA 

Maybe govt/top mgmt shd learn fm this "mistake" incident 

Nothing is perfect, and we shd always learn fm 'mistake" always

REACH Singapore, [9/1/2025 2:01 PM]

🔉 TOPIC 🔈

RY, [9/1/2025 2:01 PM]

What has happened already happen

Most important is to quickly "salvage" whatever "data disclosure" damage fm this saga, admit "mistake" made and learn fm the lesson

Jun Ming, [9/1/2025 2:04 PM]

I think responsibility and punishment should be done after the whole incident

Jun Ming, [9/1/2025 2:05 PM]

Investigation

Hanny, [9/1/2025 2:06 PM]

IC number should never be used for authentication. There has been many break-ins in the past and many ic numbers have been compromised. Mining IC numbers can also be easily performed at shops. In the old days, people sell name and address to credit card issuers. Now people sell ic numbers.

RY, [9/1/2025 2:07 PM]

NRiC certainly is our personal data and should not be widely used or openly disclosed 

However, wondering when govt mention private orgn, does it include banks / insurance companies also ?

As these orgn widely used NRIC info as verification/authenication too

Hanny, [9/1/2025 2:11 PM]

Government should make it illegal to use ic for authentication.

RY, [9/1/2025 2:11 PM]

Govt already set up a grp to specially investigate this "saga"

Believe rectification/improvement proposal will be included in the Report later

RY, [9/1/2025 2:20 PM]

Scamming is so so so common nowsaday due to digital world and  IT "hacking" (leaking of personal data)

Hence, NRIC shd be masked and not widely used 

Same analogy as credit/debit card details in payment receipt

LCL (Danny 心), [9/1/2025 2:25 PM]

*Part 1 - How preliiminary investigation can be conducted through digital forensic in the absence of bot detector apps to determine if bots or legitimate users access the ACRA search website.*

1. Normally to determine  whether a bot has accessed a website, Bot detector like CAPTCHA will challenge the users to provide the right answer that will be difficult for bots to solve.

Then the Government will be able to provide proof without reasonable doubt that a bot has access the ACRA website.

As such apps is not functioning at that time, such empirical evidence cannot be captured and produce to tabulate indeed how many bots have attacked the ACRA website without reasonable doubt.

2. Then more technical and indepth digital forensic need to be conducted - to correlate and derive whether indeed a bot or legitimate user are accessing ACRA website to do the search.

3. The information given by the Minister are that :-

a. 28,000 IP addressess have accessed the ACRA website search. (They have to be public IP address registered and issued by Telcos through DHCP or static IP address assigned - to the IP devices - to allow Internet connection and access to take place. And public IP addresses have to be unique in the World - else IP address conflict will take place causing IP connection to fail. Hence it cannot be a private IP address - assigned by a hacker or any users).

Hence Telco will be able to trace who are assigned with this IP address - is it a handphone user, broadband laptop users, or ioT registered devices (that will be compromise by hackers).

b. Most of these IP addressess come from Singapore. Means Telcos, Government can do forensic studies on their network and security devices to examine if the IP address are legitimate users or ioT devices - from the network information stored in the Telco network databse.

These 2 are vital clues - that will allow digital forsenics to be conducted to establish whether a bot or legitimate users are accessing the ACRA website - as they are all within the network domain of Singapore Internet network.

---

G, [9/1/2025 2:28 PM]

They should also make it illegal for themselves to use IC for authentication? 

Else it be another PDPA.. rules for thee, but not for me?

LCL (Danny 心), [9/1/2025 2:43 PM]

Part 2 - Let us understand how does a bot work.

1. Based on the 28,000 IP address accessing ACRA websites - if a bot takes place, it will be a hybrid of legitimate users and bot attacks. But bots being automated will dominate the access - as it work in a mass DDoS and faster than users with hand click to access the website - and crowd out all the legitimate users.

2. Hence for easier discussion, we assume 28,000 IP addresses are bots that have crowd out all legitimate users.

3. Hackers will need to hack into 28,000 IP based ioT devices - that will be protected by various means of security protection.

It could be a simple userid/password, it could be 2FA, it could be multi-factor authentication, it could be biometric protection, it could be digital token, secured by all sorts of encryption algorithm eg. RSA, 3DES, DES, AES etc.

And the ioT can be servers, PCs, laptops, network devices like routers, LAN switches, IT security devices like firewall, IPS, Proxies, APT, smartphones, IP CCTV, IP camera, IP fridge, IP aircon, IP cars etc.

To do so, a very big team of very skilled computer science, network, security system hackers etc - with very diverse range of IT knowledge such as Apple iOS, Android, Microsoft OS, Unix, Linux, Cisco ioS, TCP/IP, VMs, etc

Indeed everything happens in Singapore, that means to pool such a big teams of bot attacks - Singapore all network professionals, IT security professionals, white hackers, AI expertise, IT system professionals etc ---- albeit State Hacker effort will be needed to hack into ioT devices - write the malware, load into the ioT devices, set the time to launch a coordinated DDoS attack on the ACRA website.

Else it will be a global season hackers doing coordinated bots attack.

Or it would be a foreign State Hacker pulling all their resources to launch the bots attack.

LCL (Danny 心), [9/1/2025 2:45 PM]

Hacking into 1 ioT device is a very difficult task for a well protected ioT device by a professional hacker.

Compromising 28,000 ioT devices ....

RY, [9/1/2025 2:50 PM]

Let the special panel set up by govt do the investigation, as they will have/engage the professionals and resources to do so 

We dont require to discuss in details, as it is not within our expertise and resources to do so

G, [9/1/2025 2:51 PM]

Let him say. He wants to showcase his technical know-how and try to prove and convince us that it's not a bot attack

RY, [9/1/2025 2:56 PM]

PDPA is a gd Bill pass by Govt and authority being set up to protect personal data privacy 

I recd much much lesser scams and unsolicited sales calls/message nowsadays 

And receipts dont imprint my full card details (except last 4 digits) anymore

RY, [9/1/2025 2:59 PM]

In my opinion, rectifying and learning the mistakes, and room for improvement is more essential

Khai Mun L., [9/1/2025 3:01 PM]

It's a matter of perspective here. Some think nric should be confidental info, but some is not.

Especially when nric numbers have been already exposed out e.g. in the past or recent. Should we still continue with it as confidential?

What can be used to identify if a person is real? Maybe a combination of information, or setup some new social security number?

G, [9/1/2025 3:01 PM]

Yes.. but PDPA does not apply to govt..

LCL (Danny 心), [9/1/2025 3:03 PM]

Part 3 - What is the technical mechanism in a network - that determine whether it is a bot or a legitimate users?

1. When a legitimate user buy a smartphone, it will have to be registered with a Telco - who will assign a public IP address (Layer 3) to the user smartphone (could be DHCP - Dynamic Host Configuration Protocol) or static IP address.

This smartphone MAC (Medium Access Control) address (Layer 2) - also a registered unique address in the World (assign to device manufacturer) - will be capture by the Telco.

Both of these 2 information will uniquely identified the legitimate user. (Of course IMEI number will also be capture).

2. When a legitimate user buy a broadband/WiFi from a Telco - likewise  public IP address, MAC address will also be registered and assigned by the Telcos with telephone number - again uniquely identifying the legitimate users

3. When user buy ioT devices like IP CCTV, IP camera etc - it will have to be registered with a Telco - because it need Telcos to assigned public IP address for Internet connection - and again MAC address are also capture by the Telcos - uniquely identifying this is a ioT device and not legitimate user.

So assume this ioT is compromise and hack by hackers to operate as bot, digital forensic conducted by the Government through network information given by Telcos - will have identified if this ioT operate by bots has indeed access ACRA website.

4. Based on the Minister statement - no known threat actor has access the ACRA website - which means no ioT IP address and MAC are capture to have access ACRA website.

It means legitimate users IP address and MAC address are accessing ACRA website.

5. MAC address which is a directly access layer 2 information through ARP (Address Resolution Protocol) and DHCP to acquire layer 3 IP address will be required for a legitimate user or iOT to connect and access the ACRA website.

6. Hence studying the logs in ACRA routers, firewall, server and Telco's security and network logs as well as CSA SIEMS security, incident and events management systems and logs --- will have revealed that legitimate users with registered public IP address and MAC address have accessed the ACRA websites and not ioT devices.

This will have ruled out the bot attacks.

RY, [9/1/2025 3:03 PM]

That explains the ACRA saga ... 

Then Govt shd look into PDPA also then

G, [9/1/2025 3:05 PM]

Hence Gerald Giam's asking "...if the government will legally prohibit government agencies and organisations from using NRIC numbers as authenticators and do so by a certain deadline..."

But JT side stepped and kept on talking only about private organisations

https://www.channelnewsasia.com/singapore/nric-unmasking-opposition-mps-wp-psp-acra-bizfile-portal-compensation-4845286

RY, [9/1/2025 3:05 PM]

NRiC certainly is personal and confidential data

Otherwise, it wont be used as verification/authenication purposes

RY, [9/1/2025 3:08 PM]

Different people may have different perspectives 

But personal data is personal data, it is a fact ultimately

Khai Mun L., [9/1/2025 3:13 PM]

Going by this, i would think government should not be bound to same strict standards as private sector.

Some method of authentication needs to be used by them. Especially when sharing info across agencies e.g. hdb to iras for tax matters, moh to cpf for medical claims etc

Khai Mun L., [9/1/2025 3:14 PM]

But then gray area comes in for agencies such as ACRA and semi-gov hospital/education sectors

RY, [9/1/2025 3:14 PM]

That is also my earlier msg/qns

Is banks/insurance companies consider private orgns ?

As they also use NRIC as part of their authenication process

RY, [9/1/2025 3:16 PM]

Agreed and the govt/special panel set up should review on this also

Hanny, [9/1/2025 3:34 PM]

PDPA is applicable to all gov agencies. Hence when one gov agency has your data, only that agency has access to that data. I worked in gov before.

G, [9/1/2025 3:35 PM]

Yes. They are private organisations

LCL (Danny 心), [9/1/2025 3:35 PM]

Oh just curious which gov  department you work in?

Hanny, [9/1/2025 3:35 PM]

Banks don’t use ic as authentication now. They usually send sms or use app to authenticate.

Hanny, [9/1/2025 3:36 PM]

Govtech

LCL (Danny 心), [9/1/2025 3:36 PM]

I see.

From science park to suntec to mapletree.

G, [9/1/2025 3:37 PM]

No. That act is not applicable to govt agencies. 

This is mentioned in para 1.7 of PDPC's advisory guidelines for NRIC numbers

"These Guidelines do not apply to the collection, use and disclosure of NRIC numbers (or copies of NRIC), and the retention of physical NRICs by a public agency or an organisation that is acting on behalf of a public agency. Public agencies in Singapore (including Government Ministries, Statutory Boards and Organs of State) are excluded from the Data Protection Provisions of the PDPA."

Hanny, [9/1/2025 3:39 PM]

In practice, it’s not easy for gov agencies to gain access from another agency. By default, no access.

G, [9/1/2025 3:39 PM]

This is different from saying that govt agencies need to comply with PDPA.. Especially when PDPA itself already excludes govt bodies

Hanny, [9/1/2025 3:41 PM]

My Singpass used to show single. But I am definitely married. I filled up many forms with gov and still Singpass show single. It took me a while to get this status changed.

RY, [9/1/2025 3:42 PM]

When go to the bank for some transactions, they still using physical NRIC as part of their verification purposes

G, [9/1/2025 3:42 PM]

footnote 3 for para 1.7:

The Data Protection Provisions are found in Parts III to VI of the PDPA. Section 4(1)(c) of the PDPA provides that Parts III to VI shall not impose any obligation on any public agency or organisation in the course of acting on behalf of a public agency in relation to the collection, use or disclosure of the personal data

Jun Ming, [9/1/2025 3:44 PM]

I think certain gov agencies should adopt private practice of masking nric. Because I don't see there's a need for some agencies to have the nric

RY, [9/1/2025 3:45 PM]

Govt as own data privacy protection law known as "Public Section Governance Act" (PSGA) that they have to comply with - Refer to the Pdf file forwarded

Jun Ming, [9/1/2025 3:46 PM]

For instance acra should not have taken full unmasked nric

Jun Ming, [9/1/2025 3:47 PM]

As in public eyes it's like a private organisation with gov duties

RY, [9/1/2025 3:48 PM]

ACRA is not consider private orgn though

G, [9/1/2025 3:49 PM]

Link please?

Jun Ming, [9/1/2025 3:49 PM]

I understand. But... You seldom heard this org until this incident happens

RY, [9/1/2025 3:50 PM]

https://www.smartnation.gov.sg/files/publications/government-personal-data-protection-policies-apr2020.pdf

RY, [9/1/2025 3:51 PM]

The link and the Pdf file

Jun Ming, [9/1/2025 3:51 PM]

So I feel that certain things that is not so sensitive should not use nric as identifiers

RY, [9/1/2025 3:54 PM]

If work in law or company secretary companies, they liaise closely with ACRA

RY, [9/1/2025 3:57 PM]

As individual, I do use ACRA to check any SG co entity

REACH Singapore, [9/1/2025 4:00 PM]

🔉 TOPIC 🔈

RY, [9/1/2025 4:02 PM]

I rem I went to the bank for some transactions last year, and I ask if I may use my digital IC 

The bank staff reply to me that some transactions still require the physical IC and not all transactions may use digital IC

LCL (Danny 心), [9/1/2025 4:05 PM]

Yes.

This is still the same practice.

They will still need to take photos of front and back of IC.

RY, [9/1/2025 4:06 PM]

Sometimes we need to check the authencity of any company existence in SG and if they still active/valid, as many fake (scam) companies nowsaday

Hence, ACRA is the best way to check

LCL (Danny 心), [9/1/2025 4:06 PM]

But using IC number as user id is no longer the practice in banks.

Last time some banks still do it.

Now no more.

IC number not safe as authenticator.

LCL (Danny 心), [9/1/2025 4:08 PM]

Banks like DBS issue very unique password to decrypt encrypted financial documents.

DBS don't used IC number as part of authentication.

But some local, offshore banks and financial institutions still use part of IC number to decrypt financial documents.

I am not going to list which financial institutions and banks do it for security reasons.

I still receive a couple of financial documents from such banks.

RY, [9/1/2025 4:09 PM]

Hospitals/Medisave deduction appln, all req hardcopy of IC  to submit

LCL (Danny 心), [9/1/2025 4:11 PM]

Yes.

This are still the practice.

So need a long runway to move such organisations out of IC number as authenticator.

Honestly, from IT perspective - IC number not safe.

Easily compromised.

RY, [9/1/2025 4:11 PM]

Recently I bring my family for Day Rehab svs

Bec obtaining govt subsidy, the private Healthcare orgn also hardcopy of patient IC

RY, [9/1/2025 4:13 PM]

Many orgn still using IC hardcopy and not all accepting digital IC 

And not all appln/Cpf deduction  are online also

LCL (Danny 心), [9/1/2025 4:14 PM]

Meanwhile still need to keep IC number mask intact and not widely distributed to the public.

Because the use of IC number still very pervasive.

No joke.

RY, [9/1/2025 4:15 PM]

All these orgn are non-govt, but they still require physical IC for the appln and etc

RY, [9/1/2025 4:18 PM]

If dont have/dont know how to use singpass, still require physical IC to go to CC to collect CDC vouchers

RY, [9/1/2025 4:19 PM]

Hence NRIC is a very important data we require to use for appln/collection/deduction and etc

RY, [9/1/2025 4:25 PM]

It is right to say that NRIC shd not be widely circulated, as we require NRIC for many purposes

As NRiC still use as verification/application/transaction and etc 

Although singpass help to digitalise some of the appln eg CDC eVoucher redemption, but not appln can be digitalised

RY, [9/1/2025 4:34 PM]

Recently I want to book my family for covid vaccine at GP, after the closure of JTVC 

I was told by the GP that must book appt using singpass online 

Wondering how those IT/english illiterate elderly/handicapped people can book for their covid vaccine at GP without singpass ?

Govt encourage vulnerable people to take covid vaccine

However they also make it "difficult" to take covid vaccine for this grp of people without singpass/illiterate/people with mobility problems 

My area polyclinics, all dont provide covid vaccine except GP clinics ......

G, [9/1/2025 5:22 PM]

So apparently metapneumovirus infection is listed as a side effect of Pfizer's covid jab

It's in

APPENDIX 1. LIST OF ADVERSE EVENTS OF SPECIAL INTEREST

From the document CUMULATIVE ANALYSIS OF POST-AUTHORIZATION ADVERSE EVENT REPORTS on Pfizer's covid jab 

https://phmpt.org/wp-content/uploads/2021/11/5.3.6-postmarketing-experience.pdf

REACH Singapore, [9/1/2025 6:01 PM]

🔉 TOPIC 🔈

RY, [9/1/2025 6:40 PM]

SingPass is a very gd digital platform to access to govt/bank/others transaction/appln and etc

However, hope govt may also make things easier for those non-singpass users (illiterate/handicapped) also eg covid vaccine online booking appt 

As now I am unable to make any covid vaccine appt for my family (non-singpass user) at GP clinics

RY, [9/1/2025 6:41 PM]

Tks for the info, not taking pfizer

REACH Singapore, [9/1/2025 6:45 PM]

Dear Contributors,

⏰ We will be closing the chat in 15 minutes ⏰

Thank you very much for being part of our Telegram chat and participating actively.

Goodnight!

Megan 😊

REACH Singapore, [9/1/2025 7:03 PM]

Dear Contributors

We will be closing the chat for today.

Thank you very much for being part of our Telegram chat and participating actively.

Goodnight!

Megan 😊

====