SINGAPORE - The officers and senior management involved in the missteps that led to the mass disclosure of NRIC numbers on a government business portal are being counselled, retrained and could have reductions in their performance grade and performance-based payments.
This comes after a review panel had investigated [the incident that took place on Dec 9, 2024,](https://www.straitstimes.com/singapore/acra-disables-search-function-for-nric-numbers-on-portal-for-now) and found lapses in the process and communication between the Accounting and Corporate Regulatory Authority (Acra) and the Ministry of Digital Development and Information(MDDI).
“While there was no malicious or wilful wrongdoing by the officers, there were inadequacies in their judgment and actions,” said Senior Minister and Coordinating Minister for National Security Teo Chee Hean in Parliament on March 6.
“The Public Service Division, MDDI and Acra have taken into account the findings of the Panel, and have reviewed the roles, responsibilities and actions of the relevant officers involved in the shortcomings highlighted in the report,” he said in a statement on the review into the public disclosure of full NRIC numbers on Acra’s Bizfile.
SM Teo, who is also Minister-in-charge of Public Sector Data Governance, said the officers include those whose actions contributed directly to the shortcomings, as well as senior management who were responsible for providing oversight and guidance to the officers.
The review panel on Feb 25 submitted its report for review by SM Teo, who accepted the findings and reported them to Prime Minister Lawrence Wong the next day.
The report flagged six instances where the agencies could have done better, including clearer communications from MDDI, which was unclear in its policy communications issued to various agencies on the Government’s plans to end the use of NRIC numbers for authentication, leading to the confusion.
Highlighting the roles of individuals who were responsible, SM Teo said the political office holders overseeing Acra and the Smart Nation efforts in MDDI have overall responsibility for the organisations under their charge.
“This is regardless of whether they had specific or direct responsibility for the shortcomings that occurred,” said SM Teo, adding that both Digital Development Minister Josephine Teo and Minister in the Prime Minister’s Office and Second Minister for Finance Indranee Rajah have publicly accepted this responsibility and apologised for the incident.
The Permanent Secretaries of the Smart National Digital Government Office (now under MDDI) were responsible for implementing the policy, while Acra chief executive Chia-Tern Huey Min was responsible for the design and implementation of the new Bizfile portal, SM Teo added.
He clarified that the review was not a disciplinary process and that any disciplinary action leveled at the officers, if warranted, will need to be dealt with by the respective public agencies involved.
SM Teo said the Public Service holds its officers to a high standard of conduct.
“Singaporeans deserve this,” he said. “Given the range and complexity of public services from time to time, mistakes will be made. If there is misconduct or malicious intent, we will deal with it severely and those involved will be punished.”
He added that the lessons from the incident must be learnt by the entire Public Service so that they are not repeated.
The review panel, led by head of civil service Leo Lip, published its findings on March 3.
The panel said the six shortcomings included security lapses at Acra that contravened the Government’s internal data management rules and unclear communication between Acra and MDDI. The panel was also critical of the agencies’ public communication, which they said should have laid down the key facts of the incident after faster.
By sharing full NRIC numbers, Acra was also found to have contravened the Government’s internal code, called IM8, a set of instructions that govern how public agencies use and disclose citizen’s data. The public sector’s personal data protection standards in the PSGA and IM8 are aligned with the Personal Data Protection Act but have been adapted to the public service context.
Existing laws do not prescribe financial penalties for public agencies that contravene the IM8 rules, said SM Teo, adding that the officers responsible will instead face other measures, including retraining and impact on their performance grade.
SM Teo said the Public Service needed to uphold trust and be upfront with Singaporeans whenever they fall short of standards.
He said: “This recent incident, while regrettable, demonstrates the Government’s commitment to continuous improvement, to uphold the trust Singaporeans have placed in us.”
Join [ST's WhatsApp Channel](https://whatsapp.com/channel/0029VZzIPtoFXUuS8frj520t) and get the latest news and must-reads.