Search for:
Asia-Pacific

Vietnam: Draft decree on electronic identification and electronic authentication

By and 6 Mins Read

In brief

The Ministry of Information and Communications (MIC) recently released a draft decree on electronic identification and electronic authentication (“Draft Decree“) as part of the development of the e-government initiative. The concept of digital identity and e-authentication was initially introduced by the MIC in the Official Letter No. 1455/BTTTT-UDCNTT in 2013, which was aimed to be used in online public administrative services along with the implementation of Decree No. 43/2011/ND-CP on providing public information and administrative services online, on websites or web portals of state agencies. However, with this Draft Decree, the MIC aims at expanding the Draft Decree’s governing scope to cover electronic transactions with state agencies and transactions in the private sector, especially in the banking and finance sector.

Key takeaways

  • Governed subjects include agencies, organizations and individuals directly involved in or related to electronic identity, electronic identification and authentication in Vietnam in transactions carried out in a network environment.
  • In summary, this Draft Decree covers the following main sections:
  • digital identity and electronic identification (“e-Identification“)
  • electronic authentication (“e-Authentication“)
  • e-Identification and e-Authentication services

 In depth

  1. Digital identity and e-Identification

As part of identity management, an individual engaging in an activity or a transaction in a network environment should go through the e-Identification process, the result of which is a digital identity (“Digital ID“). According to the Draft Decree, Digital ID means a collection of digital data that allows an individual to be authenticated over a network.1

The e-Identification process includes the following two steps:

Step 1: Receiving, cross-checking and verifying digital data.

Step 2: Consolidating and confirming the authentication factor2 and providing the identification code in order to create a Digital ID for such an entity as well as issuing a means of authentication3 for the subsequent authentication of such issued Digital ID.

After being identified, the individual assigned with an issued Digital ID is now defined as a “Digital ID Subject.”4 An individual can have more than one Digital ID for different types of online transactions. According to Article 3 of the Draft Decree, a Digital ID has three components: (i) identification code; (ii) digital data; and (iii) other information. 

The implementation of identity management, including the creation of a Digital ID, is mainly subject to the requirements of Digital ID assurance levels (DIAL). In particular, in the process of e-Identification, the cross-checking and verifying of digital data will proceed based on various DIALs, as follows:

DIALApplicable transactionsDigital data to be providedCross-checking and verifying
DIAL1As agreed by the parties to the transaction At least one item from the below cellNO cross-checking required
DIAL2All seven items as follows:personal identification number or ID card numberlast name, middle name and first namedate of birthgendernationalitymobile phone numberpersonal email address The digital data provided will be cross-checked online or directly against the copies of documents/papers issued by the competent authorities
DIAL3Transactions requiring proof of identityPublic services or procedures of the state authorities provided to citizens, enterprises and societyOne of the following will apply:The digital data provided will be cross-checked online or directly against the copies of documents/papers issued by the competent authoritiesConnect electronically with the citizen identity cardConnect with the national database on population
DIAL4One of the following will apply:The digital data provided will be cross-checked online or directly against the copies of documents/papers issued by the competent authoritiesConnect electronically with the citizen identity cardConnect with the national database on populationIn addition, in-person attendance or real-time online attendance of the individual is mandatory

The creation of a Digital ID can be proceeded by registration in-person or electronically with an organization providing e-Identification and e-Authentication services (“Service Provider“). The required documents for such registration dossier are determined by the Service Provider and are subject to the DIAL required for the transaction in question. The Digital ID to be created must be unique in the system of the Service Provider. Except for DIAL1, the term of the other DIALs must not exceed the term of the provided identity document.

  1. e-Authentication

Once an individual uses their assigned Digital ID to enter into transactions in a network environment, the organization providing its services in such a network requesting the use of Digital ID (“Digital ID Using Entity“) might wish to verify that such individual is the true Digital ID Subject. This activity by a Digital ID Using Entity is called e-Authentication according to Article 2.4 of the Draft Decree.

The e-Authentication can rely on various types of authentication factors (which are owned by the Digital ID Subject) and/or means of authentication (provided by the Service Provider). Similar to the e-Identification process, the authentication factors and means of authentication required to perform this process of e-Authentication are also subject to the applicable DIALs. Specifically, the following:

DIALAuthentication factorMeans of authentication
DIAL1At least one typeNot required
DIAL2At least one typeNot required
DIAL3At least two typesNot required
DIAL4At least two typesCryptographic device, software
  1. e-Identification and e-Authentication services
  2. Licensing requirement

The Draft Decree sets out licensing requirements for companies providing e-Identification and e-Authentication services. In particular, an eligible Service Provider must be a Vietnamese entity and must meet certain requirements on human resources, finance, technical specifications and processes for managing and providing the services and cybersecurity laws.

  1. Retention and update of relevant data of Digital ID

Under Article 13 of the Draft Decree, the retention schedule of information related to Digital IDs and relevant transactions needs to be at least five years after the revocation of such Digital IDs.

DIALData typeUpdate schedule
DIAL1Information related to Digital IDs and relevant transactionsUpon any changes
DIAL2Upon any changes
DIAL3Information related to Digital IDs and relevant transactionsInformation about the transactions as from the time such transactions are carried out must also be stored during the lifetime of such Digital IDsPeriodically every six months
DIAL4Periodically every six months
  1. Right to use personal information collected from the Digital ID registration

Under the Draft Decree, the Service Providers are only allowed to provide the personal information collected from the Digital ID for the transactions within the registered scope and purposes. The relevant Digital ID Subject must consent to the provision of personal information for other purposes. Any disclosure to any third party without the consent of the relevant Digital ID Subject is prohibited under the Draft Decree.

***

For further information, and to discuss what this development might mean for you, please contact us.

1  Article 2.1 of the Draft Decree.

2 Article 2.5 of the Draft Decree, authentication factor is a factor associated with a Digital ID Subject that is used for e-Authentication. There are three types of authentication factor including:

  • natural characteristics (biometrics) of the Digital ID Subject
  • information known solely to the Digital ID Subject
  • digital device owned by the Digital ID Subject

3 Means of authentication is the means owned and controlled by a Digital ID Subject that is provided to such Digital ID Subject by the Service Provider. There are six types of means of authentication:

  • password
  • list of secret codes
  • two-dimensional (2D) barcode
  • telecommunications device
  • one-time password device, software
  • cryptographic device, software

4 Article 2.2 of the Draft Decree.

Categories:
Author

Yee Chung Seck leads the Firm’s Mergers & Acquisitions, IT/C, Pharmaceutical and Healthcare Practices in Vietnam. Chambers Global (2014, 2013) and Chamber Asia (from 2010 to 2015) rank him as a leading lawyer in the field of Corporate M&A and TMT in Vietnam. He is a member of the Singapore Bar Association and serves as vice president of the Singapore Business Group. He also serves as AmCham's IT/C Sub-Committee Co-Chair. Mr. Seck is fluent in English and conversational in Mandarin.

Author

Manh Hung Tran is the principal and managing lawyer of BMVN International LLC, a licensed law firm and IP agent, which is a member of Baker & McKenzie International. Mr. Tran has represented various multinational and Vietnamese companies in different industries including infrastructure, transportation, telecommunications, port, retail, distribution, and intellectual property. He also assisted internationally famous brands to establish their investment projects in Vietnam. Mr. Tran was voted Vietnam Lawyer of the Year (2009) in the national poll of Vietnamese lawyers organized jointly by the Vietnam Lawyers’ Federation, the Ministry of Justice and Vietnam Law Magazine. In addition to authoring many publications, Mr. Tran has given speeches and lectured on "Lawyering Skills" at the Hanoi Unveristy of Law and Diplomatic Academy of Vietnam, and intellectual property laws for the Professional Training School of the Ministry of Industry and Trade. He used to serve as chairman of the Legal Committee of Hanoi American Chamber of Commerce.

Related Posts

Write A Comment