--- title: "Singapore PDPA NRIC Handling Rules" canonical_url: "https://www.sorena.io/artifacts/apac/singapore-pdpa/nric-handling" source_url: "https://www.sorena.io/artifacts/apac/singapore-pdpa/nric-handling" author: "Sorena AI" description: "When Singapore organisations may collect, use, disclose, retain, mask, or replace NRIC numbers under PDPC guidance." published_at: "2026-05-09" updated_at: "2026-05-09" keywords: - "Singapore PDPA NRIC" - "PDPC NRIC guidelines" - "NRIC handling" - "national identification numbers" - "Singapore PDPA" - "NRIC" - "PDPC" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # Singapore PDPA NRIC Handling Rules When Singapore organisations may collect, use, disclose, retain, mask, or replace NRIC numbers under PDPC guidance. *PDPC guidance* *Singapore* *NRIC handling* ## Singapore PDPA NRIC handling Treat full NRIC numbers as restricted identifiers: collect, use, or disclose them only when law requires it or when high-accuracy identity verification is necessary. Use alternatives for routine accounts and public-facing systems, stop NRIC-based authentication, mask or hash scanned values, and keep full NRIC data only while a legal or business purpose remains. This page translates PDPC NRIC guidance into implementation checks for product, privacy, security, support, and operations teams handling Singapore NRIC numbers and comparable national identification numbers. ## When full NRIC collection, use, or disclosure is allowed Private-sector organisations should not collect, use, or disclose full NRIC numbers or NRIC copies as a default customer identifier. The PDPC FAQ gives two permitted bases: the handling is required by law, or it is necessary to establish or verify an individual's identity to a high degree of accuracy. Operationally, require the requester to name the exact law or the high-accuracy verification reason before a form, workflow, API, ticket, or vendor process accepts a full NRIC value. If the need is only account lookup, queue management, loyalty membership, event registration, building access, or customer support routing, design the workflow around a less sensitive identifier. - Law-required handling: record the statute, regulator requirement, or sector rule that requires the full NRIC number or copy. - High-accuracy verification: record why names, email addresses, mobile numbers, customer IDs, partial identifiers, or in-person sighting are insufficient for the risk. - Comparable identifiers: apply the same treatment to Birth Certificate numbers, FINs, and Work Permit numbers; avoid full passport numbers unless the use is justified. - Physical checks: checking a physical NRIC, Foreign Identity card, or passport may be allowed to verify particulars, but retaining the physical document is a separate and narrower question. Sources for this answer: - [PDPC NRIC FAQs](https://www.pdpc.gov.sg/guidelines-and-consultation/2020/02/advisory-guidelines-on-the-personal-data-protection-act-for-nric-and-other-national-identification-numbers/nric-faqs?ref=sorena.io) - Supports the two permitted bases for full NRIC collection, use, or disclosure and the treatment of related national identification numbers. ## Use alternatives for routine identification and accounts NRIC numbers are permanent identifiers and can unlock or correlate large amounts of information about an individual. For websites, apps, memberships, kiosks, visitor systems, and other public-facing systems, replace NRIC-based usernames or primary identifiers with an identifier that is unique, memorable where needed, not sensitive, and not easily guessed. Good replacement options depend on the workflow. User-selected usernames work for account logins; organisation-generated customer IDs work for internal records; validated email addresses or mobile numbers can work where contact control is part of the customer journey; combinations of non-sensitive data can reduce collisions; and partial NRIC values should only be used with other data where a full NRIC is not permitted. - For new systems, block full NRIC fields unless the intake form records a law-required or high-accuracy verification basis. - For existing systems, inventory every screen, database field, report, export, and downstream integration where the NRIC is displayed, stored, or used as a key. - When replacing identifiers, notify affected users and support teams, test lookup and account-recovery flows, and confirm related CRM, access, billing, and reporting systems accept the replacement. - When a partial NRIC is used as an identifier, use the last three digits plus final alphabet only in combination with other data and check the resulting identifier for uniqueness. Sources for this answer: - [PDPC Advisory Guidelines on NRIC and other National Identification Numbers](https://www.pdpc.gov.sg/guidelines-and-consultation/2020/02/advisory-guidelines-on-the-personal-data-protection-act-for-nric-and-other-national-identification-numbers?ref=sorena.io) - Supports the page focus on collection, use, disclosure, and retention of NRIC numbers and links the NRIC advisory materials. - [PDPC advisory guidelines resources](https://www.pdpc.gov.sg/ag?ref=sorena.io) - Supports use of PDPC advisory guidance for replacement identifiers, public-facing systems, masking, hashing, and migration checks. ## Do not use NRIC numbers for authentication Do not treat knowledge of a full or partial NRIC number as proof that a person is the genuine user. PDPC and CSA advise organisations against using NRIC numbers to authenticate persons because NRIC numbers identify people and should be assumed to have been disclosed to others. Remove NRIC values from passwords, default passwords, file passwords, customer-service challenge questions, and combined secrets such as partial NRIC plus date of birth. Choose authentication controls based on the value and sensitivity of the protected service or information, the threat model, and the accessibility of the method. - Stop any login, reset, phone-support, document-opening, or account-recovery flow that accepts a full or partial NRIC as a secret. - Do not set NRIC numbers as default passwords for accounts or password-protected files. - Prefer stronger factors such as strong passwords, tokens, smart cards, biometrics, and two-factor authentication where appropriate to the risk. - Train support teams that a caller who can state an NRIC number has identified a person, not authenticated as that person. Sources for this answer: - [PDPC and CSA Joint Advisory against using NRIC Numbers for Authentication](https://www.pdpc.gov.sg/help-and-resources/2025/06/joint-advisory-against-using-nric-numbers-for-authentication-by-the-personal-data-protection-commission-pdpc-and-cyber-security-agency-of-singapore-csa?ref=sorena.io) - Supports the implementation rule against using full or partial NRIC numbers as passwords, default passwords, or authentication secrets. ## Mask, hash, and avoid permanent full-NRIC storage Systems that scan NRIC or FIN barcodes can receive the complete number even when the business process does not need to retain it. Convert scanned full NRIC values immediately into the final permitted format and avoid permanent storage of the complete number unless the full value is permitted under the NRIC rule. For display, show a masked value when the complete NRIC is not strictly required. For matching, use a one-way hash where the system only needs to recognise a returning person or compare against a previous scan. Keep logs, analytics, exports, screenshots, and support transcripts out of scope for full NRIC exposure unless they have the same lawful or high-accuracy basis. - Scanning rule: do not permanently store the complete scanned NRIC number when the workflow only needs identification or matching. - Masked display: expose only the characters needed for confirmation, such as a partial NRIC format, when full display is unnecessary. - Hashing rule: hash before storage when the system needs repeat matching but does not need the original NRIC value. - Migration check: delete or anonymise old full-NRIC database values, backups, exports, and test datasets once they are no longer required for a legal or business purpose. Sources for this answer: - [PDPC advisory guidelines resources](https://www.pdpc.gov.sg/ag?ref=sorena.io) - Supports technical implementation guidance for NRIC replacement, scanned barcode handling, partial identifiers, masking, and hashing. ## Retention and evidence records Physical NRICs and other identity documents containing national identification numbers should be retained only when required by law. Checking a document to verify particulars is different from keeping the card, image, scan, or copy. For NRIC values stored in systems, apply the PDPA retention limitation rule: stop retaining documents containing personal data, or remove the means of associating the data with individuals, once the original purpose is no longer served and retention is no longer necessary for legal or business purposes. The PDPA does not give one universal retention period; the record should explain the purpose, legal or business need, and deletion or anonymisation method. - Keep an NRIC handling record with the field name, system, purpose, permitted basis, display format, storage format, access roles, vendor location, and deletion trigger. - For each full-NRIC field, keep the law-required citation or high-accuracy identity-verification rationale that justified collection, use, disclosure, or retention. - For physical NRIC handling, document whether the team only checked the document or retained the physical card, copy, image, or scan, and why retention was legally required. - For removal, record whether the organisation returned, destroyed, deleted, anonymised, masked, or hashed the data, and whether agents or data intermediaries also lost access. Sources for this answer: - [PDPC NRIC FAQs](https://www.pdpc.gov.sg/guidelines-and-consultation/2020/02/advisory-guidelines-on-the-personal-data-protection-act-for-nric-and-other-national-identification-numbers/nric-faqs?ref=sorena.io) - Supports the rule that physical NRICs and comparable identification documents may be retained only when required by law. - [Personal Data Protection Act 2012](https://sso.agc.gov.sg/Act/PDPA2012?ref=sorena.io) - Supports the statutory retention-limitation basis for ceasing retention or removing the link between personal data and individuals. *Recommended next step* *Placement: after the practical guidance* ## Find full NRIC exposure before it becomes a control gap Use this Singapore PDPA NRIC guide to review forms, databases, scans, support scripts, authentication flows, and retention rules before collecting or keeping full NRIC values. - [Review NRIC collection points](/solutions/assessment.md): Use Assessment Autopilot to turn each NRIC field into a permitted-basis, masking, and retention check. - [Ground a follow-up question](/solutions/research-copilot.md): Use Research Copilot to verify whether a specific NRIC workflow has source support. - [Discuss a Singapore PDPA implementation](/contact.md): Review NRIC alternatives, authentication changes, and evidence records with Sorena. ## Primary sources - [PDPC NRIC FAQs](https://www.pdpc.gov.sg/guidelines-and-consultation/2020/02/advisory-guidelines-on-the-personal-data-protection-act-for-nric-and-other-national-identification-numbers/nric-faqs?ref=sorena.io) - Primary source for when private-sector organisations may collect, use, disclose, or retain full NRIC numbers, NRIC copies, and physical identity documents. - Quote: "required by the law; or" - [PDPC Advisory Guidelines on NRIC and other National Identification Numbers](https://www.pdpc.gov.sg/guidelines-and-consultation/2020/02/advisory-guidelines-on-the-personal-data-protection-act-for-nric-and-other-national-identification-numbers?ref=sorena.io) - Primary PDPC page for NRIC advisory guidance, including collection, use, disclosure, retention, and the 2024 authentication warning. - Quote: "collection, use and disclosure of NRIC" - [PDPC and CSA Joint Advisory against using NRIC Numbers for Authentication](https://www.pdpc.gov.sg/help-and-resources/2025/06/joint-advisory-against-using-nric-numbers-for-authentication-by-the-personal-data-protection-commission-pdpc-and-cyber-security-agency-of-singapore-csa?ref=sorena.io) - Supports removing full or partial NRIC numbers from passwords, default passwords, challenge questions, and other authentication secrets. - Quote: "NRIC numbers should not be used as passwords" - [PDPC advisory guidelines resources](https://www.pdpc.gov.sg/ag?ref=sorena.io) - Supports technical implementation guidance for replacing NRIC identifiers, masking displays, hashing scanned values, and migrating existing systems. - Quote: "Advisory Guidelines" - [Personal Data Protection Act 2012](https://sso.agc.gov.sg/Act/PDPA2012?ref=sorena.io) - Official statute source for the PDPA retention-limitation framing used for stored NRIC personal data. - Quote: "Personal Data Protection Act 2012" ## Related Topic Guides - [Singapore PDPA Anonymisation and DPIA Records](/artifacts/apac/singapore-pdpa/anonymisation-and-dpias.md): Build Singapore PDPA anonymisation and DPIA records around PDPC guidance: release model, re-identification risk, data flows, action plans, safeguards, and monitoring. - [Singapore PDPA anonymisation FAQ](/artifacts/apac/singapore-pdpa/faq/anonymisation.md): FAQ on anonymisation under the Singapore PDPA: de-identification, pseudonymisation, re-identification risk, when PDPA may no longer apply, and evidence records. - [Singapore PDPA Applicability Test](/artifacts/apac/singapore-pdpa/applicability-test.md): Test whether Singapore PDPA obligations apply by checking personal data, organisation role, data intermediary status, public agency and individual boundaries, and business contact information. - [Singapore PDPA Breach Notification Playbook](/artifacts/apac/singapore-pdpa/breach-notification-playbook.md): A grounded Singapore PDPA breach-notification playbook covering assessment, notifiable-breach thresholds, PDPC and affected-individual notification steps, roles, records, and citations. - [Singapore PDPA breach notification thresholds FAQ](/artifacts/apac/singapore-pdpa/faq/breach-thresholds.md): FAQ on Singapore PDPA notifiable data breach tests: significant harm, significant scale, 500 affected individuals, assessment timing, PDPC notices, and affected-individual notices. - [Singapore PDPA Breach Notification Workflow](/artifacts/apac/singapore-pdpa/breach-notification-workflow.md): A grounded Singapore PDPA workflow for containing a personal data breach, assessing notifiability, notifying PDPC or affected individuals, and retaining evidence. - [Singapore PDPA Compliance Checklist](/artifacts/apac/singapore-pdpa/checklist.md): A grounded Singapore PDPA checklist for scope, DPO accountability, consent, data intermediaries, breach notification, DNC checks, transfers, and evidence records. - [Singapore PDPA Compliance Guide](/artifacts/apac/singapore-pdpa/compliance.md): Build a Singapore PDPA compliance plan covering DPO accountability, consent and notification, protection, retention, access and correction, transfers, breach notification, and DNC checks. - [Singapore PDPA Consent and Deemed Consent Workflow](/artifacts/apac/singapore-pdpa/consent-and-deemed-consent-selection-workflow.md): Choose express consent, deemed consent by conduct, contractual necessity, notification, or the legitimate interests exception under Singapore PDPA with grounded intake fields and evidence records. - [Singapore PDPA Consent, Notification and Purpose Rules](/artifacts/apac/singapore-pdpa/consent-notification-and-purposes.md): How Singapore PDPA consent, notification, purpose limitation, deemed consent, withdrawal, and consent exceptions should be handled in product and privacy workflows. - [Singapore PDPA Cross-Border Transfers](/artifacts/apac/singapore-pdpa/cross-border-transfers.md): Grounded Singapore PDPA guidance for overseas personal data transfers, comparable protection, ASEAN MCCs, APEC certifications, vendor roles, and evidence records. - [Singapore PDPA Data Breach Notification Thresholds](/artifacts/apac/singapore-pdpa/breach-notification-thresholds.md): Grounded Singapore PDPA breach notification thresholds covering significant harm, the 500-individual significant-scale test, assessment records, and notification timing. - [Singapore PDPA Data Intermediaries FAQ](/artifacts/apac/singapore-pdpa/faq/data-intermediaries.md): FAQ guidance on Singapore PDPA data intermediary roles, direct obligations, organisation accountability, contracts, retention, protection, and breach escalation. - [Singapore PDPA Data Intermediary Responsibilities](/artifacts/apac/singapore-pdpa/data-intermediary-responsibilities.md): Practical Singapore PDPA guide to data intermediary role boundaries, organisation accountability, protection, retention, breach escalation, and contract evidence. - [Singapore PDPA Deadlines and Compliance Calendar](/artifacts/apac/singapore-pdpa/deadlines-and-compliance-calendar.md): A grounded Singapore PDPA compliance calendar for breach notification, DNC checks, access and correction requests, retention reviews, and DPMP maintenance. - [Singapore PDPA Deemed Consent and Legitimate Interests](/artifacts/apac/singapore-pdpa/deemed-consent-and-legitimate-interests.md): How to apply Singapore PDPA deemed consent by conduct, contractual necessity, notification, and legitimate interests with opt-out, adverse-effect, disclosure, and assessment records. - [Singapore PDPA Deemed Consent FAQ](/artifacts/apac/singapore-pdpa/faq/deemed-consent.md): FAQ on Singapore PDPA deemed consent by conduct, contractual necessity, notification, opt-out periods, adverse-effect assessment, withdrawal, and direct-marketing limits. - [Singapore PDPA DNC and Marketing Messages Guide](/artifacts/apac/singapore-pdpa/dnc-and-marketing-messages.md): A grounded Singapore PDPA guide to DNC checks, specified marketing messages, Singapore telephone numbers, consent evidence, opt-outs, sender duties, and excluded messages. - [Singapore PDPA DNC checking FAQ: when to check the DNC Registry](/artifacts/apac/singapore-pdpa/faq/dnc-checking.md): FAQ guidance on Singapore PDPA DNC checking: when to check the DNC Registry, which registers apply, 8-digit numbers, 21-day result validity, consent evidence, on-behalf checks, opt-outs, and supported exclusions. - [Singapore PDPA DNC Marketing Checks](/artifacts/apac/singapore-pdpa/dnc-marketing-checks.md): Operational checklist for Singapore PDPA DNC marketing checks: account evidence, register status, 21-day result validity, consent evidence, and campaign owner records. - [Singapore PDPA DNC Marketing Workflow](/artifacts/apac/singapore-pdpa/dnc-marketing-workflow.md): Workflow for Singapore PDPA DNC marketing campaigns: classify specified messages, check Singapore telephone numbers, document consent, suppress opt-outs, and approve sends. - [Singapore PDPA DPIAs: when to run and what to document](/artifacts/apac/singapore-pdpa/faq/dpias.md): FAQ-style implementation guidance on Singapore PDPA DPIAs, including when PDPC guidance recommends them, data-flow mapping, risk treatment, DPO review, and evidence records. - [Singapore PDPA DPMP Accountability FAQ | DPO, Policies, Evidence](/artifacts/apac/singapore-pdpa/faq/dpmp-accountability.md): FAQ for implementing Singapore PDPA accountability through a DPMP: DPO designation, policies, evidence, training, monitoring, incident logs, and review records. - [Singapore PDPA DPMP Accountability Guide](/artifacts/apac/singapore-pdpa/dpmp-accountability.md): Build a Singapore PDPA Data Protection Management Programme with DPO ownership, policies, data inventories, DPIAs, training, monitoring, breach logs, and review records. - [Singapore PDPA FAQ: scope, DPO, consent, breaches and DNC](/artifacts/apac/singapore-pdpa/faq.md): FAQ answers for Singapore PDPA implementation, covering scope, accountability, consent, access and correction, security, retention, transfers, data intermediaries, breach notification, and DNC checks. - [Singapore PDPA legitimate interests FAQ](/artifacts/apac/singapore-pdpa/faq/legitimate-interests.md): FAQ guidance on Singapore PDPA legitimate interests: assessment fields, adverse effects, mitigation, balancing, disclosure, records, and marketing limits. - [Singapore PDPA NRIC Handling FAQ](/artifacts/apac/singapore-pdpa/faq/nric-handling.md): FAQ guidance on when Singapore organisations may collect, use, disclose, retain, mask, or replace NRIC and other national identification numbers under PDPC guidance. - [Singapore PDPA Penalties and Enforcement Cases](/artifacts/apac/singapore-pdpa/pdpa-penalties-and-enforcement-cases.md): How PDPC enforcement under Singapore's PDPA works: directions, voluntary undertakings, published decisions, financial penalty caps, and implementation lessons from cases. - [Singapore PDPA Penalties and Fines](/artifacts/apac/singapore-pdpa/penalties-and-fines.md): Singapore PDPA penalty ceilings, PDPC directions, undertakings, breach notification context, and practical controls grounded in official PDPC and Singapore Statutes sources. - [Singapore PDPA Privacy Policy Template](/artifacts/apac/singapore-pdpa/pdpa-privacy-policy-template.md): A Singapore PDPA privacy policy template for writing notices, DPO contact details, access and correction routes, retention, transfers, protection, withdrawal, and complaint handling without overclaiming compliance. - [Singapore PDPA Requirements: Core Obligations](/artifacts/apac/singapore-pdpa/requirements.md): Map Singapore PDPA obligations across consent, notification, access, security, retention, transfers, accountability, breaches, DNC checks, and data intermediaries. - [Singapore PDPA Scope, Exclusions, and Data Intermediaries](/artifacts/apac/singapore-pdpa/scope-exclusions-and-data-intermediaries.md): Classify Singapore PDPA coverage, business contact information, personal or domestic activity, employee acts, and data intermediary obligations with grounded implementation records. - [Singapore PDPA Transfer Assessment Workflow](/artifacts/apac/singapore-pdpa/transfer-assessment-workflow.md): A Singapore PDPA workflow for assessing overseas personal data transfers, comparable protection, ASEAN MCCs, APEC CBPR/PRP certifications, vendor due diligence, onward transfers, and evidence records. - [Singapore PDPA Transfer Clauses](/artifacts/apac/singapore-pdpa/transfer-clauses.md): Draft Singapore PDPA transfer clauses for overseas vendors, affiliates, data intermediaries, onward transfers, breach support, ASEAN MCCs, and APEC CBPR or PRP evidence. - [Singapore PDPA transfer clauses FAQ](/artifacts/apac/singapore-pdpa/faq/transfer-clauses.md): FAQ guidance on Singapore PDPA transfer clauses, comparable protection, ASEAN MCCs, APEC CBPR and PRP certifications, onward transfers, and evidence records. - [Singapore PDPA Vendor Outsourcing and Contracts](/artifacts/apac/singapore-pdpa/vendor-outsourcing-and-contracts.md): Contract and operating checklist for Singapore PDPA vendor outsourcing: data intermediary status, written terms, security, retention, breach, transfers, sub-contracting, and exit evidence. - [Singapore PDPA vs GDPR Comparison](/artifacts/apac/singapore-pdpa/singapore-pdpa-vs-gdpr.md): Compare Singapore PDPA and GDPR implementation work across consent, DPO accountability, processors, transfers, breach notification, DNC marketing, rights, retention, and penalties. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/apac/singapore-pdpa/nric-handling