11.11.
Arch-Supremacy Member
- Joined
- Nov 11, 2020
- Messages
- 10,973
- Reaction score
- 31,402
Bertha Henson
13 hours ago ·Thursday’s torment
I got a shock yesterday when I was told that it was easy to get hold of identity card numbers. All someone had to do was log into bizfile, go to People profile, key in the name - and the IC number would come up. (Sorry. No need to log in, just go to the site and search)
I tried it under my own name this morning and true enough, it was easy to do. Another friend did it for himself, his sister and mother - all of whom had no business with any type of business - and their IC numbers came up too. For good measure, I tried several political leaders - and got theirs as well. And this included someone who was already dead.
I was gobsmacked and wondered if this was a breach of PDPA. Then again, bizfile comes under ACRA which is exempt from PDPA. It comes under the Public Sector Governance Act which regulates the management of personal information that G agencies have.
I thought this was a glitch because bizfile was a ‘new’ website which went live on Dec 9. Perhaps, someone overlooked the details? If so, this was a loophole that should be closed, in my view. I wouldn’t want my IC number bandied around or used for nefarious purposes.
In any case, I reported this as an ‘incident’ to the Ministry of Digital Development and Information because it involved a G entity. I also called the PDPC to give details. I suggested that the officer key in his own name and see what comes up. I then called someone I know in the Finance ministry.
I got a quick email response from a “Joshua (Mr)’’ from the Government Data Security Contact Centre which said that my email would be forwarded to the relevant agency. He added: “Please understand that we may take 10-15 working days to investigate the issue, as it depends on the complexity of the issue. We will get back to you as soon as we can.’’
I can forgive a templated reply but I cannot understand why something like this would take so long nor the need for a civil servant to have anonymity when engaging with the public.
I also got a call from a PDPC officer (he named himself) who tried telling me that PDPA did not apply to ACRA. I said I knew about that but it simply cannot be the case that IC numbers are so easily obtainable. Isn’t the practice to give a partial IC number when an identity is called for?
This was in the morning and through the day, I was checking the website to see if anything had changed. Nothing did.
My friend told me to look at ACRA’s data policy on its website.
Here it is:
Information for Public Access
The information available for public access includes registration date, nature of business activity, registered office address and financial statements of business entities, as well as personal data about owners, shareholders, directors and officers of the business.
The types of personal data publicly available are:
Name
Identification Number
Nationality
Residential Address (if no Contact Address is given)*
Holders of personal data obtained through ACRA's system or from authorised ISPs are responsible for making sure that they comply with the Personal Data Protection Act (PDPA) and other laws, regarding the disclosure and use of personal data and information. Should the use of information by anyone constitute an offence or a breach of the law, he or she may face legal action or criminal prosecution.
ACRA is exempted from the PDPA. The ACRA Act provides for ACRA to disclose personal data in discharging its functions. Nevertheless, ACRA adheres to the Public Sector (Governance) Act and Government Instruction Manuals with respect to the way data is managed. This includes putting in place processes and procedures to prevent disclosure of data under circumstances other than those allowed under the ACRA Act.
ACRA will continue to keep abreast of industry standards and strive to implement best practices where applicable, with respect to the way we manage personal data.
* With the enactment of the ACRA (Registry and Regulatory Enhancements) Act in July 2024, individuals may choose to use their residential address as their contact address. If no contact address is provided or if the provided address is ineffective, the residential address will be used as the contact address by default.
I have a few points to make regarding the above:
1. Perhaps, my name pops up because I used to have a company. And the website says it gives information on past and present positions. But I have also checked with others who are not shareholders, directors or have any business position in any company. Some of them have their ICs displayed, others don’t turn up in the system. It strikes me as a pretty random selection.
2. How is revealing IC numbers a "discharge of its functions''?
3. ‘’This includes putting in place processes and procedures to prevent disclosure of data under circumstances other than those allowed under the ACRA Act.’’ I wonder what this even means since anyone, anywhere can see your IC. What processes and procedures? So keeping your IC number “safe’’ and “confidential’’ is just so much nonsense then?
4. ‘’Should the use of information by anyone constitute an offence or a breach of the law, he or she may face legal action or criminal prosecution.’’ This seems ludicrous when the data is so freely available. Can see someone’s IC number but please don’t use?
5. Surely, this practice of revealing full IC is NOT a “best’’ practice? Much of the industry has moved beyond this.
6. I had a bit of a problem figuring out the amendment on how people “may choose to use their residential address as their contact address’’. On checking the ACRA website, I realised that people now had a choice of using a contact address that was NOT their residential address to strike “ a balance between corporate transparency and enhancing personal data protection’’.
That was nice. Because you really don’t want your residential address to be so easily available. Note however that you will only get this detail on contact address if you pay a fee of $33 for more details. Your IC number, however, is available for free.
I kicked up enough of a fuss I guess for the intriguing Mr Joshua to send me another email in the afternoon to say that ACRA has “always displayed the full NRIC in their information products’’.
“As the national business registry of Singapore, one of ACRA’s functions is to administer a repository of information relating to business entities, and to provide access to information of company office holders, such as identification details and residential address.’’ (Ahem. Mr Joshua should check ACRA website which said that after the amendment, ‘residential address will continue to be required to be filed, except that they will not be made public’. )
The usual bureaucratese follows: “Such information enhances transparency and trust in the business environment; by facilitating trade and interactions between businesses and the public, as well as enabling the public to perform due diligence checks on businesses and their operators, this information improves transparency and confidence in the setting for businesses and the people who operate them. Consequently, this enhances trust and clarity in business transactions.’’
I suppose that this is a “legacy issue’’ - always been that way and will be that way. Except that this looks like an invitation to scammers and fraudsters to skim off IC information of people, including those who do not or who never had any role in any business venture. By the way, they include some very, very important people.
There was, however, one intriguing paragraph: “Having said that, mindful of the need to reduce the risk of personal data exposure where possible, ACRA conducted a review for (sic) the need to display identification numbers of individuals involved in running and managing the business entities in full in ACRA’s public register.’’
That was it. Besides being ungrammatical (or because of it) I have no idea what the above means. Is the review over? Or being conducted? Will it be status quo or is it conceding that giving partial IC numbers is enough?
Mr Joshua ended by saying that the Government Data Security Contact Centre (GDSCC) “will proceed to close this case on our end as this is not a government data incident’’ and assured me that the Government takes data security very seriously.
“Thank you for your patience and understanding.’’
Except that I am NOT patient and I do NOT understand.
