Last month the Government issued a draft decree on the process for obtaining and using electronic IDs in Vietnam. This comes as a welcome installment in Vietnam’s slowly moving modernization of its legal regulations regarding the internet, data, and digital media. This post will review the basics of the draft decree relevant to most people interested in the concept. The decree contains a great deal of material on becoming certified as an entity for authenticating digital IDs, but I won’t go into that. If you really want to know you can get in touch.
There are a few basic concepts explained in the definitions. An electronic ID is a digital number that allows an individual to be identified on the internet. The owner of the electronic ID is the specific individual who has been authenticated as connected to the electronic ID. The authentication of electronic IDs is the process of connecting the individual with the number through a process of confirmation of the identity of an individual applicant. That confirmation involves the provision by the individual of a government-issued ID to the entity that is conducting the authentication process.
An electronic ID in Vietnam must contain a code which is unique to the individual authenticated, plus certain personal information regarding the owner of the electronic ID. That information must include the Personal ID or Citizenship number of the individual, the full name, birthdate, gender, nationality, phone number, and email. Other information may be included if agreed between the owner of the electronic ID and the provider of the electronic ID.
It is interesting to note that the draft decree goes out of its way to discuss the data protection principles revolving around this data. ID providers can only use the data for purposes specified to the owner of the ID upon its creation and must obtain the owner’s permission prior to sharing that data with any third party. It even specifies the nature of that permission must take a form that is either printable or displayable through digital means. This corresponds with the provisions in the draft decree on personal data protection which was issued earlier this year. It will certainly be interesting to see how these provisions read when the final decrees are promulgated.
Electronic IDs in Vietnam are separated into four levels with varying levels of authentication required. At level one, the electronic ID is only authenticated by personal data provided by the owner of the ID. Level two requires a copy of a government-issued ID to be provided by the owner of the ID. Level three requires a direct investigation of the ID or electronic confirmation of the ID from the relevant government authorities. Level four requires a face-to-face meeting, either directly or electronically, between the owner of the ID and the entity providing the ID.
The process for obtaining each of these levels of authentication is set out in detail, which I won’t bore you with at this stage, and each level contains the requirements of the preceding level. Once an electronic ID is issued, the level of its authentication will lend it greater trust to entities which accept electronic IDs in Vietnam. Entities accepting electronic IDs will be allowed to set the level of authentication which they will accept, though the required technological requirements for exchanging electronic IDs and accepting them safely will be promulgated at a later date.
The bulk of the draft decree involves the qualifications and requirements for entities involved with the authentication and issuance of electronic IDs. Protection of data, network information security, and cybersecurity are linked to existing laws for each of those subjects and cited as necessary in the performance of creating, authenticating, and using electronic IDs. Responsibilities of everyone involved, from the individual owner of the electronic ID to the relevant government entities governing electronic IDs are set out.
Specifically, the owner of an electronic ID must protect his own personal data and abide by the relevant laws in sharing that information on the internet. Report changes in his personal information immediately upon the occurrence of such. Guarantee the supervision of his method of authentication. And if the electronic ID is at a level of three or higher immediately report to the provider of the electronic ID whenever he loses control of the ID or when a third party improperly accesses the ID or in other instances that may cause the loss of safety of the data.
The responsibilities of entities who accept electronic IDs involve deciding what level of authentication they will accept for transactions on the internet, conclude agreements with those providing the electronic IDs to ensure the freedom of choice by owners of electronic IDs, and not sharing the personal data attached to the electronic ID unless they have the agreement of the owner of the ID.
The draft decree also contains model notifications for the various steps of obtaining, amending, and using the electronic IDs. These range from requests for an electronic ID to requests for obtaining permission to become an entity that authenticates electronic IDs.
Electronic IDs have long been needed as Vietnam moves quickly into the electronic age. The massive scale of its digital economy, which is only predicted to expand exponentially, and the recent pilot program for digital money for the unbanked and poor, will only increase the need for authenticated identifications in cyberspace. The draft decree is an important step in preparing the citizens of this country for their impending digital life.