yperic
Greater Supremacy Member
- Joined
- Jan 14, 2003
- Messages
- 85,787
- Reaction score
- 32,823
The shortcomings included security lapses at Acra that contravened the Government’s internal data management rules.ST PHOTO: MARK CHEONG
SINGAPORE – A review panel that investigated the disclosure of individuals’ full NRIC numbers on a government business portal has found no evidence of malicious intent or wilful wrongdoing.
But the panel, led by Head of Civil Service Leo Yip, uncovered shortcomings, by both the Accounting and Corporate Regulatory Authority (Acra) and the Ministry of Digital Development and Information (MDDI), in the incident.
The six shortcomings included security lapses at Acra that contravened the Government’s internal data management rules, and lack of clear communication between Acra and MDDI that led to full NRIC numbers being published on Acra’s refreshed business portal BizFile in December 2024.
“In this incident, the Public Service did not perform to the level we set for ourselves. We should have done better, and this review contains important lessons which we will apply,” said the panel in its report.
“More importantly, the lessons that the panel had identified will be disseminated across the whole of the Public Service, so that agencies can take these on board and similar incidents do not recur.”
Prime Minister Lawrence Wong said in a statement that he agreed with the assessment of the shortcomings as well as the learning points identified.
“The report sets out key lessons for the public service. The Government will take these lessons to heart, improve its processes, and strive to do better moving forward,” he said.
On Dec 9, Acra refreshed its Bizfile portal with a search feature that allowed the full NRIC numbers of registered people on its database to be accessed for free. The feature was taken down on Dec 13 after public backlash.
The panel said in its report issued on March 3: “While the panel did not find any factual evidence of deliberate wrongdoing or wilful inaction by the MDDI and Acra officers involved in this incident, it found several shortcomings by both Acra and MDDI in this incident, which should have been avoided.”
MDDI should have been clearer in its policy communications, it said, particularly, in its July 2024 circular minute (CM) that went to all public agencies requiring them to stop the use of NRIC numbers for authentication, and stop internal uses of masked NRIC numbers within the public sector.
This was to take place from Nov 1 that year, in line with a broader national policy intent to return NRIC numbers to their proper use as unique identifiers, and by stopping the incorrect use of NRIC numbers for authentication.
The CM also informed agencies not to introduce any new uses of masked NRIC numbers, both internally and externally, with immediate effect.
“MDDI and Acra staff did not realise that Acra had misunderstood how the July 2024 CM applied to the new Bizfile portal,” according to the PMO statement.
Acra’s refreshed Bizfile portal, which was meant to continue to display partial NRIC numbers alongside corresponding names in search results, was not considered a new use by MDDI. But Acra’s takeaway was different.
Also, the misinterpretation was not caught as two Acra staff involved in a follow-up MDDI briefing in mid-July did not disseminate the additional briefing materials to the project leads for the new Bizfile portal and Acra’s senior leadership.
The panel - which comprises the Permanent Secretaries of mutiple ministries - found that Acra was the only agency that had misunderstood the July 2024 CM to the extent that it did.
The panel also found that Acra did not assess the proper balance between sharing full NRIC numbers and ensuring that they were not too readily accessible.
“This was a contravention of IM8, which ACRA was required to comply with under the PSGA (Public Sector Governance Act),” said the panel in its report, titled Report of the Review into the Public Disclosure of Full NRIC Numbers on Bizfile People Search.
IM8 is a set of instructions which governs how public agencies collect, use and disclose citizens’ data. The public sector’s personal data protection standards in the PSGA and IM8 are aligned with the Personal Data Protection Act, but have been adapted to the public service context.
Alternative designs for Bizfile should have been considered, said the report. One way is to require users to narrow their search by keying in additional parameters like the Unique Entity Number of the associated business entity.
As for MDDI, it should have given more attention to the implementation plan for new uses of partial NRIC numbers that were more complex, such as public registries, the panel said in its report.
“The Panel would like to emphasise the importance of agencies regularly assessing data security and protection risks, taking into account user needs and public concerns,” according to the report.
“When there is a new policy direction, agencies should re-assess the adequacy and appropriateness of their system design and make comprehensive assessments of different options to meet the policy objective.”
The panel affirmed the broad policy intent to stop the incorrect use of NRIC numbers for authentication and move away from the use of partial NRIC numbers. This will be carried out in phases starting with the public sector and involving public consultations. “Doing so would better protect our citizens,” according to the report.
“The Public Service Division, MDDI and Acra will separately follow up to review the actions and responsibilities of the relevant individual officers. This will be conducted in accordance with the applicable accountability and disciplinary frameworks and processes in the respective public agencies involved,” the panel said.
On Feb 25, the panel’s report was submitted to Senior Minister and Coordinating Minister for National Security Teo Chee Hean, who is also Minister-in-charge of the Smart Nation Group, and Digital Government and Public Sector Data Governance. Mr Teo, in turn, submitted the report to Prime Minister Lawrence Wong on Feb 26.
The matter is expected to be debated in Parliament this week.
Apologising for its oversight, MDDI said in a statement: “In this incident, the Public Service did not perform to the level we set for ourselves.”
The ministry is preventing similar incidents by providing more guidance to government agencies on how the policy on NRIC numbers should be applied. It has identified almost 800 existing uses of partial NRIC numbers in public-facing systems include the Registry of Marriages. It will also step up public education on the incorrect use of NRIC numbers.
Acra, in a joint response with the Ministry of Finance, also apologised for the incident and said it is taking steps to address the shortcomings. These efforts include conducting more regular risk reviews before, during and after major tech system changes. Acra also said it will strengthen its vendor oversight and launch user tests prior to new system launches.
The ministry is preventing similar incidents by providing more guidance to government agencies on how the policy on NRIC numbers should be applied. It has identified almost 800 existing uses of partial NRIC numbers in public-facing systems include the Registry of Marriages. It will also step up public education on the incorrect use of NRIC numbers.
Acra, in a joint response with the Ministry of Finance, also apologised for the incident and said it is taking steps to address the shortcomings. These efforts include conducting more regular risk reviews before, during and after major tech system changes. Acra also said it will strengthen its vendor oversight and launch user tests prior to new system launches.
MDDI and Acra said that appropriate actions are being taken with the officers and leaders involved, including performance assessments with financial consequences and additional training.
Last edited:
