NRIC saga: Govt shouldn't come down like 'a ton of bricks' on civil servants

While the civil servants involved in the NRIC unmasking saga have caused public anxiety and need to be held accountable for their actions, the Government should not come down on them "like a ton of bricks", said Senior Minister Teo Chee Hean.

"Don't go in with a big bazooka and flatten everybody," he said in Parliament, adding that accountability has to be done in a fair and balanced way to the individuals.

SM Teo was responding to clarifications raised by 12 MPs on March 6 after he gave a ministerial statement on a review panel that looked into the lapses in communication between the Accounting and Corporate Regulatory Authority (Acra) and the Ministry of Digital Development and Information (MDDI) that led to the incident in December 2024.

A misunderstanding of an internal government circular and lack of coordination between staff had led to the disclosure of full NRIC numbers on a new business portal called Bizfile.

The review flagged six shortcomings that led to the mass disclosure - including insufficient information sharing within Acra, lack of clarity in its policy communications by MDDI, and poor communication with the public.

MPs like Ms Jessica Tan (East Coast GRC) and Ms Tin Pei Ling (MacPherson) raised concerns about how the penalties might cause public servants to be overly cautious and avoid taking risks, which can stymie innovation.

The officers and senior management involved in the missteps could face consequences such as counselling, retraining and reductions in their performance grade and performance-based payments.

SM Teo said: "We should deal with them fairly and in accordance with the public sector's disciplinary processes. This is something that will give assurance to officers that just because something has become publicly known and caused public anxiety, that we won't come down on them in an unfair way."

The Government would have to evaluate their actions, what they should have done, and what was the intent behind it before deciding on the appropriate action to be taken.

"That is the way we should continue within the public service, so that the public service can continue to do the things they need to do for us - including taking calculated risks if there's a need to," said SM Teo.

Political office-holders like Second Minister for Finance Indranee Rajah, who oversees Acra, and Digital Development and Information Minister Josephine Teo, who oversees the Smart Nation initiative under MDDI, will also have to shoulder responsibility for the organisations under their charge.

"The Prime Minister will take into account this incident in his evaluation of the ministers," added SM Teo.

Workers' Party (WP) chairwoman Sylvia Lim (Aljunied GRC) also asked about Prime Minister Lawrence Wong's responsibility over the incident, given that he is also the Minister of Finance.

SM Teo pointed out that PM Wong has to delegate responsibilities to his ministers.

"If the Prime Minister tries to be responsible for everything, he would not be able to function at all. One of the responsibilities of the Prime Minister is to know when he should delegate, and when he should intervene," said SM Teo.

"I'm also glad to note that Ms Sylvia Lim takes accountability, especially accountability of leaders of organisations, as something which is very serious and which should be accepted when mistakes are made," he added.

Addressing questions on whether issues like personal data protection and cyber security should be dealt with on an inter-ministry level involving senior political office-holders, SM Teo said that inter-agency coordination has to be done at the right level.

Policy issues are coordinated at the deputy prime minister and senior minister level, while implementation is usually coordinated by the relevant agencies.

"If you try to do that kind of coordination, day-to-day action at the DPM or SM level, I think you'll end up with a major bottleneck, and (the system) will not work properly," said SM Teo.

In asking if the Government can do more to strengthen the security of online portals that provide access to personal data, Dr Tan Wu Meng (Jurong GRC) pointed out that Acra had outsourced its portal security to a vendor, which then outsourced security penetration tests to another vendor.

However, it was found that security features for the Bizfile portal were not adequately implemented.

Dr Tan asked if the same vendors are providing services to other government portals or organisations.

SM Teo said that vendors are not perfect and can make mistakes. But there is a process for selecting vendors, and if a vendor is found to not have fulfilled responsibilities properly, that will be taken into account in future awarding of tenders.

There were also concerns that cyber criminals have scraped the database of unmasked NRIC numbers from the Bizfile portal for profit.

WP MP Gerald Giam (Aljunied GRC) said the portal had received more than 500,000 searches for NRIC numbers over five days in December 2024, and asked if the Government had been monitoring the Dark Web for sale of the personal information.

Non-Constituency MP Leong Mun Wai wanted to know if there was evidence to suggest a compromise of full NRIC numbers "on a large scale".

SM Teo said the Government monitors the Dark Web for a variety of things, including the Bizfile incident, and has not seen any sale of NRIC numbers.