SINGAPORE – The officers and senior management involved in missteps that led to the disclosure of full NRIC numbers on a government business portal could face a range of “appropriate measures”, from counselling to retraining and reductions in their performance grade and performance-based payments.
This comes after a review panel investigated the incident that took place on Dec 9, 2024, and found lapses in the process and communication between the Accounting and Corporate Regulatory Authority (Acra) and the Ministry of Digital Development and Information (MDDI).
Senior Minister Teo Chee Hean told Parliament on March 6 that while the review found there was no malicious or wilful wrongdoing by the officers involved, “there were inadequacies in their judment and actions”.
In its report released on March 3, the review panel flagged six instances where the agencies could have done better, including clearer communications from MDDI.
The ministry was unclear in its policy communications issued to various agencies on the Government’s plans to end the use of NRIC numbers for authentication, leading to the confusion which resulted in full NRIC numbers being disclosed on Acra’s Bizfile portal.
Officers involved in the shortcomings include those whose actions contributed directly to the shortcomings, as well as senior management who were responsible for providing oversight and guidance to the officers, said SM Teo in a ministerial statement on the review.
The review panel on Feb 25 submitted its report for review by SM Teo, who is also Minister-in-charge of Public Sector Data Governance. He accepted the findings and reported them to Prime Minister Lawrence Wong the next day.
Highlighting the importance of accountability, SM Teo said the political office holders overseeing Acra and the Smart Nation efforts in MDDI have overall responsibility for the organisations under their charge.
“This is regardless of whether they had specific or direct responsibility for the shortcomings that occurred,” said SM Teo, adding that both Digital Development Minister Josephine Teo and Minister in the Prime Minister’s Office and Second Minister for Finance Indranee Rajah have publicly accepted this responsibility and apologised for the incident.
The Permanent Secretaries of the Smart National Digital Government Office (now under MDDI) were responsible for implementing the policy, while Acra chief executive Chia-Tern Huey Min was responsible for the design and implementation of the new Bizfile portal, SM Teo added.
He clarified that the review was not a disciplinary process and that any disciplinary action leveled at the officers, if warranted, will need to be carried out by the respective public agencies involved.
SM Teo said the Public Service holds its officers to a high standard of conduct.
“Singaporeans deserve this,” he said. “Given the range and complexity of public services from time to time, mistakes will be made. If there is misconduct or malicious intent, we will deal with it severely and those involved will be punished.”
Where there was no malicious or wilful wrongdoing, due consideration should be given to whether the officers had acted in good faith in deciding on what action to take, SM Teo said.
He added that the lessons from the incident must be learnt by the entire Public Service so that they are not repeated.
“This Bizfile incident demonstrates that close coordination and careful attention to detail are required. Sometimes it is a single lapse, but at other times, it can be a confluence of factors, that can lead to such incidents,” he said.
The review panel, led by Head of Civil Service Leo Yip, said the shortcomings included security lapses at Acra that contravened the Government’s internal data management rules and unclear communication between Acra and MDDI. The panel was also critical of the agencies’ public communication, which they said should have laid down the key facts of the incident after faster, among other things.
By sharing full NRIC numbers, Acra was also found to have contravened the Government’s internal code, called IM8, a set of instructions that govern how public agencies use and disclose citizen’s data.
The public sector’s personal data protection standards in the PSGA and IM8 are aligned with the Personal Data Protection Act but have been adapted to the public service context.
Existing laws do not prescribe financial penalties for public agencies that contravene the IM8 rules, said SM Teo, adding that the officers responsible will instead face other measures, including retraining and impact on their performance grade.
SM Teo said trust in the Public Service is essential, and maintaining that trust is central to how the Government operates.
“When things go wrong, we are upfront with Singaporeans on where we have fallen short. We conduct thorough reviews and make improvements to our systems and processes to serve Singaporeans better while remaining fair to our officers,” he added.
“This recent incident, while regrettable, demonstrates the Government’s commitment to continuous improvement, to uphold the trust Singaporeans have placed in us.”
Join ST’s WhatsApp Channel and get the latest news and must-reads.