In brief
The Ministry of Information and Communications (MIC) recently released a draft decree on electronic identification and electronic authentication (“Draft Decree“) as part of the development of the e-government initiative. The concept of digital identity and e-authentication was initially introduced by the MIC in the Official Letter No. 1455/BTTTT-UDCNTT in 2013, which was aimed to be used in online public administrative services along with the implementation of Decree No. 43/2011/ND-CP on providing public information and administrative services online, on websites or web portals of state agencies. However, with this Draft Decree, the MIC aims at expanding the Draft Decree’s governing scope to cover electronic transactions with state agencies and transactions in the private sector, especially in the banking and finance sector.
Key takeaways
- Governed subjects include agencies, organizations and individuals directly involved in or related to electronic identity, electronic identification and authentication in Vietnam in transactions carried out in a network environment.
- In summary, this Draft Decree covers the following main sections:
- digital identity and electronic identification (“e-Identification“)
- electronic authentication (“e-Authentication“)
- e-Identification and e-Authentication services
In depth
- Digital identity and e-Identification
As part of identity management, an individual engaging in an activity or a transaction in a network environment should go through the e-Identification process, the result of which is a digital identity (“Digital ID“). According to the Draft Decree, Digital ID means a collection of digital data that allows an individual to be authenticated over a network.1
The e-Identification process includes the following two steps:
Step 1: Receiving, cross-checking and verifying digital data.
Step 2: Consolidating and confirming the authentication factor2 and providing the identification code in order to create a Digital ID for such an entity as well as issuing a means of authentication3 for the subsequent authentication of such issued Digital ID.
After being identified, the individual assigned with an issued Digital ID is now defined as a “Digital ID Subject.”4 An individual can have more than one Digital ID for different types of online transactions. According to Article 3 of the Draft Decree, a Digital ID has three components: (i) identification code; (ii) digital data; and (iii) other information.
The implementation of identity management, including the creation of a Digital ID, is mainly subject to the requirements of Digital ID assurance levels (DIAL). In particular, in the process of e-Identification, the cross-checking and verifying of digital data will proceed based on various DIALs, as follows:
DIAL | Applicable transactions | Digital data to be provided | Cross-checking and verifying |
DIAL1 | As agreed by the parties to the transaction | At least one item from the below cell | NO cross-checking required |
DIAL2 | All seven items as follows:personal identification number or ID card numberlast name, middle name and first namedate of birthgendernationalitymobile phone numberpersonal email address | The digital data provided will be cross-checked online or directly against the copies of documents/papers issued by the competent authorities | |
DIAL3 | Transactions requiring proof of identityPublic services or procedures of the state authorities provided to citizens, enterprises and society | One of the following will apply:The digital data provided will be cross-checked online or directly against the copies of documents/papers issued by the competent authoritiesConnect electronically with the citizen identity cardConnect with the national database on population | |
DIAL4 | One of the following will apply:The digital data provided will be cross-checked online or directly against the copies of documents/papers issued by the competent authoritiesConnect electronically with the citizen identity cardConnect with the national database on populationIn addition, in-person attendance or real-time online attendance of the individual is mandatory |
The creation of a Digital ID can be proceeded by registration in-person or electronically with an organization providing e-Identification and e-Authentication services (“Service Provider“). The required documents for such registration dossier are determined by the Service Provider and are subject to the DIAL required for the transaction in question. The Digital ID to be created must be unique in the system of the Service Provider. Except for DIAL1, the term of the other DIALs must not exceed the term of the provided identity document.
- e-Authentication
Once an individual uses their assigned Digital ID to enter into transactions in a network environment, the organization providing its services in such a network requesting the use of Digital ID (“Digital ID Using Entity“) might wish to verify that such individual is the true Digital ID Subject. This activity by a Digital ID Using Entity is called e-Authentication according to Article 2.4 of the Draft Decree.
The e-Authentication can rely on various types of authentication factors (which are owned by the Digital ID Subject) and/or means of authentication (provided by the Service Provider). Similar to the e-Identification process, the authentication factors and means of authentication required to perform this process of e-Authentication are also subject to the applicable DIALs. Specifically, the following:
DIAL | Authentication factor | Means of authentication |
DIAL1 | At least one type | Not required |
DIAL2 | At least one type | Not required |
DIAL3 | At least two types | Not required |
DIAL4 | At least two types | Cryptographic device, software |
- e-Identification and e-Authentication services
- Licensing requirement
The Draft Decree sets out licensing requirements for companies providing e-Identification and e-Authentication services. In particular, an eligible Service Provider must be a Vietnamese entity and must meet certain requirements on human resources, finance, technical specifications and processes for managing and providing the services and cybersecurity laws.
- Retention and update of relevant data of Digital ID
Under Article 13 of the Draft Decree, the retention schedule of information related to Digital IDs and relevant transactions needs to be at least five years after the revocation of such Digital IDs.
DIAL | Data type | Update schedule |
DIAL1 | Information related to Digital IDs and relevant transactions | Upon any changes |
DIAL2 | Upon any changes | |
DIAL3 | Information related to Digital IDs and relevant transactionsInformation about the transactions as from the time such transactions are carried out must also be stored during the lifetime of such Digital IDs | Periodically every six months |
DIAL4 | Periodically every six months |
- Right to use personal information collected from the Digital ID registration
Under the Draft Decree, the Service Providers are only allowed to provide the personal information collected from the Digital ID for the transactions within the registered scope and purposes. The relevant Digital ID Subject must consent to the provision of personal information for other purposes. Any disclosure to any third party without the consent of the relevant Digital ID Subject is prohibited under the Draft Decree.
***
For further information, and to discuss what this development might mean for you, please contact us.
1 Article 2.1 of the Draft Decree.
2 Article 2.5 of the Draft Decree, authentication factor is a factor associated with a Digital ID Subject that is used for e-Authentication. There are three types of authentication factor including:
- natural characteristics (biometrics) of the Digital ID Subject
- information known solely to the Digital ID Subject
- digital device owned by the Digital ID Subject
3 Means of authentication is the means owned and controlled by a Digital ID Subject that is provided to such Digital ID Subject by the Service Provider. There are six types of means of authentication:
- password
- list of secret codes
- two-dimensional (2D) barcode
- telecommunications device
- one-time password device, software
- cryptographic device, software
4 Article 2.2 of the Draft Decree.