NRIC Collection Rules in Singapore: What Changes by December 2026

If your business uses NRIC numbers to verify customers, register visitors, or authenticate users, you need to act now. The Personal Data Protection Commission (PDPC) announced in February 2026 that all organisations must stop using NRIC numbers for authentication purposes by 31 December 2026.

This is not a suggestion. It is a regulatory requirement with financial penalties of up to S$1 million or 10% of annual turnover for non-compliance.

This guide explains what is changing, who is affected, and exactly what your business needs to do before the deadline.

What Changed: The PDPC February 2026 Announcement

On 2 February 2026, the PDPC issued an updated advisory reinforcing and extending the restrictions on NRIC usage that were first introduced on 1 September 2019. The key change is a firm deadline: all organisations must eliminate NRIC-based authentication by 31 December 2026, with enforcement beginning 1 January 2027.

The original 2019 Advisory Guidelines on NRIC Numbers already restricted organisations from collecting, using, or disclosing NRIC numbers unless required by law or necessary for high-fidelity identity verification. However, compliance was uneven. Many businesses continued using NRIC numbers as default identifiers for visitor registration, loyalty programmes, and online account authentication.

The 2026 announcement signals that the PDPC is moving from guidance to enforcement. Organisations that have not transitioned away from NRIC-based systems will face regulatory action.

What Counts as "NRIC Authentication"

The restrictions cover any use of NRIC numbers as an authentication factor. This includes:

• Using the full NRIC number as a login credential or password
• Using the last four characters of the NRIC (e.g., "123A") as a verification code
• Combining partial NRIC with date of birth as an authentication method
• Requiring NRIC numbers for visitor registration at office buildings
• Collecting NRIC for membership sign-ups, lucky draws, or promotional events
• Using NRIC as a default customer identifier in CRM systems

The rule applies to the NRIC number itself, physical NRIC cards, copies, photographs, and scans.

Who Is Affected

Every private sector organisation in Singapore that collects, uses, or discloses NRIC numbers is affected. There is no exemption based on company size, industry, or the volume of data collected.

Industries that typically rely heavily on NRIC-based processes include:

• Property management: Visitor registration at condominiums and office buildings
• Healthcare: Patient registration and appointment systems
• Retail and F&B: Loyalty programmes and membership cards
• Financial services: Customer onboarding and verification
• Education: Student and parent registration systems
• Events and hospitality: Registration and check-in processes
• HR and recruitment: Employment applications and contractor management

If your business falls into any of these categories, audit your systems now.

When NRIC Collection Is Still Allowed

The PDPC does not ban all NRIC collection. There are specific situations where collecting NRIC remains permissible:

Required by Law

Certain laws require NRIC collection. For example:

• Employment Act: Employers must collect NRIC for employment records
• Income Tax Act: NRIC is required for tax-related reporting
• CPF Act: NRIC is needed for CPF contributions
• Companies Act: Directors' NRIC numbers must be filed with ACRA
• Work Injury Compensation Act: NRIC is required for claims

High-Fidelity Identity Verification

NRIC collection is allowed when it is necessary to verify identity to a very high degree of accuracy — for example, opening a bank account, executing a legal document, or conducting a regulated financial transaction.

The critical distinction is between verification (confirming someone is who they claim to be, typically a one-time check) and authentication (using NRIC as an ongoing credential or identifier). Verification may still require NRIC. Authentication must not.

Alternatives to NRIC Authentication

The PDPC recommends that organisations transition to alternative authentication methods. The principle is simple: use the least sensitive identifier that meets your business need.

Recommended Alternatives

1. Singpass: Singapore's national digital identity system. Suitable for government-related services and increasingly adopted by private sector organisations.

2. Email-based OTP: Send a one-time password to the user's registered email address. Simple to implement and widely understood by users.

3. Mobile number verification: SMS or app-based OTP sent to a registered mobile number. Effective for customer-facing applications.

4. Organisation-issued identifiers: Create your own unique customer or membership ID. This gives you full control and avoids relying on sensitive government-issued numbers.

5. Multi-factor authentication (MFA): Combine two or more factors (something the user knows, has, or is). This is more secure than NRIC-based authentication and meets modern security standards.

6. Biometric verification: Fingerprint or facial recognition for physical access control. More secure than NRIC-based visitor registration.

For Visitor Registration Specifically

Many condominiums, office buildings, and co-working spaces still require visitors to write their NRIC number in a logbook. This practice must stop. Alternatives include:

• QR code-based visitor management systems
• Mobile number registration with OTP verification
• Visitor-issued access passes with temporary IDs
• Singpass-based check-in for high-security environments

Not sure if your current systems comply? ComplyHQ's AI compliance assistant can assess your NRIC usage and recommend alternatives specific to your industry. Start a free assessment

Step-by-Step: How to Transition Away from NRIC

Step 1: Audit Your Current NRIC Usage

Conduct a thorough review of every system, form, process, and database that collects, stores, or uses NRIC numbers. Common places to check:

• Customer registration forms (online and paper)
• Visitor management systems
• HR and payroll systems
• CRM and customer databases
• Loyalty programme applications
• Contract and agreement templates
• Physical logbooks and sign-in sheets

Step 2: Classify Each Use Case

For each instance of NRIC usage, determine whether it falls into one of three categories:

1. Required by law — Continue collecting, but review if the full NRIC is necessary or if partial information suffices.
2. Necessary for high-fidelity verification — Verify but do not retain the NRIC unless legally required.
3. Convenience or default — Must be replaced with an alternative identifier by 31 December 2026.

Step 3: Select and Implement Alternatives

For each "convenience or default" use case, choose an appropriate alternative from the list above. Prioritise changes to customer-facing systems first, as these are the most visible to regulators and the public.

Step 4: Update Your Systems and Processes

• Remove NRIC fields from online forms
• Replace NRIC-based login credentials with alternative authentication
• Update visitor management systems
• Retrain staff on the new processes
• Update your Data Protection Policy to reflect the changes

Step 5: Handle Historical NRIC Data

For NRIC numbers you have already collected:

• If retention is legally required, continue storing them securely.
• If retention is not legally required, destroy or anonymise the data.
• Update your data retention schedule to reflect the new policy.
• Document what was deleted and when, for compliance records.

Step 6: Update Your Privacy Policy

Your privacy policy should reflect the changes. Remove references to NRIC collection for purposes that no longer apply, and add information about the new identifiers you are using.

Generate an updated privacy policy in minutes. ComplyHQ's AI-powered privacy policy generator creates PDPA-compliant policies tailored to your business. Try it free

Penalties for Non-Compliance

The PDPC takes NRIC misuse seriously. Under the PDPA, penalties for non-compliance include:

• Financial penalties of up to S$1 million per breach
• For organisations with annual turnover exceeding S$10 million, penalties of up to 10% of annual turnover in Singapore
• Directions to stop collecting, using, or disclosing data
• Public enforcement decisions that can cause significant reputational damage

The PDPC has already taken enforcement action against organisations for NRIC-related breaches. In its published decisions, the Commission has made clear that collecting NRIC without a lawful basis is a breach of the Consent Obligation and the Purpose Limitation Obligation under the PDPA.

The Reputational Cost

Beyond financial penalties, PDPC enforcement decisions are published online and often covered by Singapore media. For SMEs, a public finding of non-compliance can damage customer trust and business relationships far beyond the monetary fine.

Timeline Summary

What to Do Right Now

You have approximately eight months until the deadline. Here is what to prioritise:

1. This week: Audit all NRIC usage across your organisation.
2. This month: Classify each use case and select alternatives.
3. Q2 2026: Begin implementing system changes, starting with customer-facing applications.
4. Q3 2026: Complete implementation, retrain staff, and update policies.
5. Q4 2026: Final testing and verification before the 31 December deadline.

Do not wait until Q4. System changes, vendor coordination, and staff training take time.

Track your NRIC transition progress alongside your full PDPA compliance status. ComplyHQ's compliance dashboard gives you a clear view of what is done and what still needs attention. Get started free

Related Resources

• PDPA Compliance Checklist for Singapore SMEs (2026 Edition) — A complete checklist covering all 10 PDPA obligations
• PDPA Penalties and Fines: What You Risk for Non-Compliance — Detailed breakdown of enforcement consequences
• Understanding Consent Under PDPA — When and how to properly collect personal data
• PDPC Official Advisory Guidelines on NRIC Numbers — The source regulatory document