Circular 46/2022/TT-BCA share, exploit information between National Population Database and other information systems

CIRCULAR

Providing for the connection and sharing and exploitation of information between the National Population Database and national databases, specialized databases and other information systems^[1]

Pursuant to the November 20, 2014 Law on Citizen Identification;

Pursuant to the November 19, 2015 Law on Cyberinformation Security;

Pursuant to the June 12, 2018 Law on Cyber Security;

Pursuant to the Government’s Decree No. 137/2015/ND-CP of December 31, 2015, detailing a number of articles of, and measures to, implement, the Law on Citizen Identification (below referred to as Decree No. 137/2015/ND-CP);

Pursuant to the Government’s Decree No. 37/2021/ND-CP of March 29, 2021, amending and supplementing a number of articles of the Government’s Decree No. 137/2015/ND-CP of December 31, 2015, detailing a number of articles of, and measures to implement, the Law on Citizen Identification (below referred to as Decree No. 37/2021/ND-CP);

Pursuant to the Government’s Decree No. 47/2020/ND-CP of April 9, 2020, on the management, connection and sharing of information of state agencies;

Pursuant to the Government’s Decree No. 85/2016/ND-CP of July 1, 2016, on level-based assurance of safety for information systems;

Pursuant to the Government’s Decree No. 01/2018/ND-CP of August 6, 2018, defining the functions, tasks, powers and organizational structure of the Ministry of Public Security;

At the proposal of the Director of the Police Department for Administrative Management of Social Order;

The Minister of Public Security promulgates the Circular providing for the connection and sharing and exploitation of information between the National Population Database and national databases, specialized databases and other information systems.

Chapter I

GENERAL PROVISIONS

Article 1. Scope of regulation

This Circular provides for the principles of connection and sharing and exploitation of information between the National Population Database and national databases, specialized databases and other information systems; methods of connection and sharing and exploitation of information; conditions for ensuring information security, safety and confidentiality, and examination and supervision of the connection and sharing and exploitation of information with the National Population Database.

Article 2. Subjects of application 

1. The agency managing the National Population Database.

2. The agencies, organizations and individuals specified in Article 8 of Decree No. 137/2015/ND-CP, which was amended and supplemented under Decree No. 37/2021/ND-CP.

Article 3. Principles of connection and sharing and exploitation of information between the National Population Database and national databases, specialized databases and other information systems

1. To ensure compliance with the law on protection of personal data and implementation of current provisions on cyberinformation confidentiality, security and safety.

2. Not to affect rights and responsibilities of related agencies, organizations and individuals or infringe upon the right to privacy, personal and family secrets, unless otherwise provided for by law.

3. The Ministry of Public Security’s agency managing the National Population Database shall be responsible for the connection of, and sharing of information in, the National Population Database with agencies, organizations and individuals in accordance with law.

4. Agencies, organizations and individuals that are permitted to connect with the National Population Database for sharing and exploitation of information must satisfy the law-specified conditions on infrastructure of information systems, connection model, data structure, and information security, safety and confidentiality.

Chapter II

MANAGEMENT OF CONNECTION WITH, AND SHARING AND EXPLOITATION OF INFORMATION IN, THE NATIONAL POPULATION DATABASE

Article 4. Information to be shared with the National Population Database

1. The shared-use Electronic Civil Status Database, Residence Database, Citizen Identification Database, Public Health Database and other specialized databases shall share information about citizens with the National Population Database in accordance with law, ensuring consistency, completeness, accuracy and timeliness.

2. The Ministry of Public Security’s agency managing the National Population Database shall act as a focal point in receiving specialized information pertaining to citizens (specified in the Appendix to this Circular) shared by agencies or organizations with the Ministry of Public Security for exploitation and use in service of population management and other professional requirements of units of the Public Security forces and local Public Security agencies according to their assigned functions, tasks and powers.

Article 5. Methods of connection and sharing of information between the National Population Database and national databases, specialized databases and other information systems

1. The connection and sharing of information between the National Population Database and other national databases, specialized databases, the National Public Service Portal, ministerial- and provincial-level information systems for settlement of administrative procedures and other information systems shall be carried out via the National Data Exchange Platform, National E-Document Exchange Platform and other connection and integration platforms in accordance with law.

2. The connection shall be conducted via application programming interfaces.

Article 6. Conditions for connection with the National Population Database

1. Agencies’ and organizations’ information systems that are connected with the National Population Database must satisfy requirements on assurance of safety for information systems at level 3 or higher as provided under regulations on level-based assurance of safety for information systems.

2. An agency’s or organization’s information system whose system design is adjusted or changes before or after it is connected with the National Population Database shall be examined and evaluated in terms of information security and safety. The examination and evaluation shall be carried out by using technical equipment and software of the People’s Public Security forces. The examination and evaluation cover:

a/ The setting up of security configuration on the system device(s), server(s), application(s) and database(s);

b/ The detection of malware, vulnerabilities and security weaknesses and testing system penetration for the system device(s), server(s) and application(s);

c/ Information safety for the application source code(s);

d/ Hardware security and safety;

dd/ Issuance of regulations and policies on account management, server room entry and exit, management of administrator accounts’ passwords, access management, written agreements on rights, obligations and responsibilities of subjects involved in the management and operation of, and provision of services to, the information system.

3. For information systems managed by the Ministry of National Defense, the Ministry of Public Security’s agency managing the National Population Database shall coordinate with and guide specialized units of the Ministry of National Defense to conduct the evaluation and examination of information security and safety under Clause 2 of this Article.

4. The Cyber Security and Hi-Tech Crime Prevention Department shall assume the prime responsibility for, and coordinate with the Professional Technique Department, the Ministry of Public Security’s agency managing the National Population Database and related units in:

a/ Examining and evaluating information security and safety of information systems requested to be connected with the National Population Database before conducting the connection and issuing written certifications of assurance of information security and safety. The information systems requested to be connected with the National Population Database that have been connected with the Electronic Identification and Authentication Platform shall not be subject to information security and safety examination and evaluation under Clause 2 of this Article;

b/ Conducting unscheduled examination and evaluation of the assurance of information security and safety of the information systems connected with the National Population Database under Clause 2 of this Article;

c/ Conducting regular examination and evaluation (once a year) of the assurance of information security and safety of the information systems connected with the National Population Database under Clause 2 of this Article, except the information systems managed by the Ministry of National Defense, the information systems that share cyber security and information safety monitoring data online with the Ministry of Public Security, and information systems for which competent agencies have conducted security and safety examination and evaluation and certified security and safety assurance within 1 year in accordance with the law on level-based assurance of safety for information systems.

Article 7. Process of connection between the National Population Database and national databases, specialized databases and other information systems

1. Information system-managing agencies and organizations shall send written requests for connection with the National Population Database to the Ministry of Public Security’s agency managing the National Population Database.

A written request must have the following contents: the unit registering for connection and its assigned functions, tasks and powers; name of the information system or database requested to be connected and share information with the National Population Database; information on the person in charge of the connection and sharing and declaration of  information; purpose(s), scope and contents of to-be-shared information, and the number of information fields that need to be shared; services registered for use in the National Population Database; and technical descriptions of the system components connected with the National Population Database.

2. After receiving a written request, the Ministry of Public Security’s agency managing the National Population Database shall:

a/ Provide technical documents to the requesting agency or organization to serve the connection with, and sharing and exploitation of information in, the National Population Database;

b/ Support the agency or organization in connecting with, and adjusting software and carrying out technical  tests for the services of sharing and exploiting information in, the National Population Database;

c/ Coordinate with the Cyber Security and Hi-Tech Crime Prevention Department and the Professional Technique Department under the Ministry of Public Security and related units in examining and evaluating the assurance of information security and safety of the information system of the requesting agency or organization.

Article 8. Storage of logs of connection and information sharing and exploitation 

1. The Ministry of Public Security’s agency managing the National Population Database and agencies and organizations conducting the connection with, and sharing and exploitation of information in, the National Population Database shall keep logs of connection with, and sharing and exploitation of information in, the National Population Database to serve monitoring, examination and supervision work.

2. The period of retention of logs of connection with, and sharing and exploitation information in, the National Population Database is at least 2 years after connection or sharing and exploitation of information is carried out.

Article 9. Response to incidents, support and resolution of problems of connection with, and sharing and exploitation of information in, the National Population Database

1.  Agencies and organizations conducting the connection with, and sharing and exploitation of information in, the National Population Database shall formulate manuals for use and provision of the services of exploitation of their agencies or organizations’ information in the National Population Database.

2. Agencies, organizations and individuals may request response to incidents or provision of support and resolution of problems arising in the course of operating and using functions or connecting with, and sharing and exploiting information in, the National Population Database via email at [email protected], by phone, or in-person working sessions at the head office of the Ministry of Public Security’s agency managing the National Population Database or send written requests for support and resolution of problems.

Article 10. Rights and responsibilities of agencies, organizations and individuals conducting the connection with, or sharing and exploitation of information in, the National Population Database

1. Agencies, organizations and individuals conducting the connection with, or sharing and exploitation of information in, the National Population Database have the following rights:

a/ To exploit and use information in the National Population Database within the ambit of their assigned functions and tasks and based on the purposes registered with the agency managing the National Population Database.

b/ To request the Ministry of Public Security’s agency managing the National Population Database to solve problems that affect their rights to exploit and use information in the National Population Database.

2. Agencies, organizations and individuals conducting the connection with, or  sharing and exploitation of information in, the National Population Database have the following responsibilities:

a/ To comply with this Circular and the regulations on management, connection and sharing and use of information;

b/ To exploit and use information in the National Population Database within the permitted scope and based on the agreed contents on information sharing;

c/ To share the information specified in Article 4 of this Circular with the National Population Database;

d/ To timely inform the Ministry of Public Security’s agency managing the National Population Database of errors in the information that have been shared or exploited and used;

dd/ To coordinate with competent agencies and the Ministry of Public Security’s agency managing the National Population Database in solving problems arising in the course of connection with, and sharing, exploitation and use of information in, the National Population Database.

Article 11. Responsibilities of the Ministry of Public Security’s agency managing National Population Database

1. To formulate manuals on, and provide technical support in service of, the connection with, and sharing and exploitation of information in, the National Population Database.

2. To assume the prime responsibility for, and coordinate with agencies and organizations having their information systems connected with the National Population Database and related agencies in, responding to incidents and solving problems arising in the course of implementation.

3. To coordinate with related units in examining the assurance of information security and safety of information systems connected and sharing information with the National Population Database under regulations.

Article 12. Citizens’ search and exploitation of information via public service portals

A citizen shall search and exploit information via a public service portal as follows:

1. Logging in the public service portal.

2. Selecting the personal information search or exploitation service.

3. The Ministry of Public Security shall return citizens’ search results by displaying information on the public service portal or return information exploitation results by issuing a notice made according to Form No. 01 promulgated together with this Circular.

Chapter III

ORGANIZATION OF IMPLEMENTATION

Article 13. Effect

This Circular shall take effect on December 19, 2022.

Article 14. Implementation responsibility

1. The Police Department for Administrative Management of Social Order shall guide, examine, urge and implement this Circular.

2. Heads of units of the Ministry of Public Security, directors of provincial-level Public Security Departments and related agencies, units and individuals shall implement this Circular.

Any difficulties and problems arising in the course of implementation of this Circular should be promptly reported to the Ministry of Public Security (via the Police Department for Administrative Management of Social Order) for timely guidance.-

Minister of Public Security
TO LAM