Decree 59/2022/ND-CP on electronic identification and authentication

DECREE

On electronic identification and authentication^[1]

Pursuant to the June 19, 2015 Law on Organization of the Government; and the November 22, 2019 Law Amending and Supplementing a Number of Articles of the Law on Organization of the Government and the Law on Organization of Local Administration;

Pursuant to the June 17, 2020 Law on Investment;

Pursuant to the November 29, 2005 Law on E-Transactions;

Pursuant to the June 29, 2006 Law on Information Technology;

Pursuant to the November 20, 2014 Law on Citizen Identification;

Pursuant to the November 19, 2015 Law on Cyberinformation Security;

Pursuant to the June 12, 2018 Law on Cyber Security;

At the request of the Minister of Public Security;

The Government promulgates the Decree on electronic identification and authentication.

Chapter I

GENERAL PROVISIONS

Article 1. Scope of regulation

This Decree provides e-identity, e-identification and e-authentication; e-authentication services; rights and obligations of e-authentication service users; and responsibilities of related agencies, organizations and individuals.

Article 2. Subjects of application

This Decree applies to Vietnamese agencies, organizations and citizens; and foreign organizations and individuals residing and operating in Vietnam’s territory that are involved in electronic identification and authentication.

Article 3. Interpretation of terms

In this Decree, the terms below are construed as follows:

1. “E-identity” means information of an individual or organization in the electronic identification and authentication system that allows identification of only such individual or organization in the electronic environment.

2. “E-identity subject” means an organization or individual identified in association with its/his/her e-identity.

3. “E-identification” means the registration, collation, creation and association of an e-identity with its subject.

4. “Electronic identification and authentication management agency” means the Police Department for Administrative Management of Social Order of the Ministry of Public Security.

5. “Electronic identification and authentication system” means an information system developed and managed by the Ministry of Public Security to register, create and manage e-identification accounts and perform e-authentication.

6. “E-identification account” means a combination consisting of username, password or another form of authentication which is created by the electronic identification and authentication management agency.

7. “Information synchronized into an e-identification account” means information of an e-identity subject which is shown in papers and documents issued by competent Vietnamese agencies and authenticated through national databases and specialized databases before being synchronized into such e-identification account at the request of the e-identity subject, including information on health insurance card, vehicle registration certificate, driver’s license and tax identification number, or other papers in the fields under the management of ministries or ministerial-level agencies after reaching agreement with the Ministry of Public Security.

8. “E-authentication” means certification and confirmation that certain information is associated with an e-identity subject through the exploitation and collation of information of such e-identity subject in the National Database on Population, the Citizen Identity Database, the National Database on Immigration, other databases and the electronic identification and authentication system or the e-identification account authentication created by the electronic identification and authentication system through an organization providing e-authentication services to confirm the use value of such e-identification account.

9. “Authentication factor” means information used or owned by an e-identity subject.

10. “Means of authentication” include the following factors: password; secret code; 2-dimensional barcode; terminal; one-time password device or software; cryptographic device or software, citizen identity card, passport, portrait photo, and fingerprints used for the purpose of e-authentication.

11. “Organization providing e-authentication services” means a public non-business unit or an enterprise in the People’s Public Security forces that satisfies the conditions for providing e-authentication services specified in this Decree.

12. “VneID” means an application on digital device; “dinhdanhdientu.gov.vn” or “vneid.gov.vn” means an e-identification website created and developed by the Ministry of Public Security to serve e-identification and e-authentication activities in settling administrative procedures and public administrative services and carrying out other transactions in the electronic environment; and develop utilities to serve agencies, organizations and individuals.

13. “Alien identification number” means a unique sequence of natural numbers created by the electronic identification and authentication system to manage the e-identity of an individual foreigner.

14. “E-identification number of an organization” shall be identified through the tax identification number of such organization; if no tax identification number is available, the electronic identification and authentication system shall establish a unique sequence of natural numbers to manage the e-identity of such organization.

15. “Electronic identification and authentication platform” means an information system established, operated and managed by the Ministry of Public Security to serve the exchange of information between the electronic identification and authentication system and information systems of state agencies, political organizations, socio-political organizations and organizations and individuals.

Article 4. Principles of electronic identification and authentication

1. To comply with the Constitution and laws, and guarantee the lawful rights and interests of agencies, organizations and individuals.

2. To ensure accuracy and uniqueness in electronic identification and authentication, and publicity and transparency in management and convenience for agencies, organizations and individuals.

3. To ensure security and safety of equipment and data security upon the performance of electronic identification and authentication.

4. Agencies, organizations and individuals that are entitled to exploit and use e-identities shall secure confidentiality of e-identification account information and comply with the law on personal data protection.

5. All violations of the law on electronic identification and authentication shall be promptly detected and handled in accordance with law.

6. To ensure conformity with treaties to which Vietnam is a contracting party.

Article 5. Exploitation of information in the electronic identification and authentication system

1. Information systems of state agencies, political organizations, socio-political organizations and public service organizations shall be connected to the electronic identification and authentication system to enable exploitation of information of e-identity subjects in order to serve the settlement of administrative procedures and public administrative services in the electronic environment and other state management activities according to assigned functions and tasks via the electronic identification and authentication platform.

2. State agencies, political organizations, socio-political organizations and public service organizations may exploit information in the electronic identification and authentication system via the VNeID application, e-identification website, and chip-based citizen identity cards with devices and software meeting technical requirements guided by the Minister of Public Security.

3. E-identity subjects may exploit and share e-identity information (except biometric information) and other information of their own which has been integrated into e-identification accounts in the electronic identification and authentication system with other individuals and organizations via the VNeID application.

Article 6. Terms on use of e-identification accounts

E-identity subjects using e-identification accounts shall comply with the following provisions:

1. To refrain from using e-identification accounts in activities or transactions that are against the law or infringe upon security, national defense, national interests, public interests, or lawful rights and interests of organizations and individuals.

2. To refrain from illegally intervening in operation of the electronic identification and authentication system.

Chapter II

E-IDENTITIES, E-IDENTIFICATION

Section 1

E-IDENTITIES

Article 7. E-identities of Vietnamese citizens

E-identities of a Vietnamese citizen include:

1. Personal information:

a/ Personal identification number;

b/ Family name, middle name and first name;

c/ Date of birth;

d/ Gender.

2. Biometric information:

a/ Portrait photo;

b/ Fingerprints.

Article 8. E-identities of foreigners

E-identities of a foreigner include:

1. Personal information:

a/ Alien identification number;

b/ Family name, middle name and first name;

c/ Date of birth;

d/ Gender;

dd/ Citizenship;

e/ Serial number, symbol, date and type of identification paper, and place of issuance of passport or international travel document.

2. Biometric information:

a/ Portrait photo;

b/ Fingerprints.

Article 9. E-identities of organizations

E-identities of an organization include:

1. E-identification number of the organization.

2. Name of the organization, including Vietnamese name, abbreviated name (if any) and foreign-language name (if any).

3. Date of establishment of the organization.

4. Head office address.

5. Personal identification number or identification number; and family name, middle name and first name of the at-law representative or head of the organization.

Article 10. Updating of e-identity information

1. Any change in information on e-identities of individuals in the National Database on Population, the Electronic Civil Status Database, the Citizen Identity Database and the National Database on Immigration shall be automatically updated to the e-identification account of such individuals in the identification and authentication system.

2. Any change in information on e-identities of organizations in the National Business Registration Database, national databases and other specialized databases shall be automatically updated to the e-identification account of such organizations in the electronic identification and authentication system.

Section 2

E-IDENTIFICATION

Article 11. Subjects eligible for grant of e-identification accounts

1. Vietnamese citizens who are full 14 years of age or older are eligible for grant of e-identification accounts; Vietnamese citizens who are under 14 years of age or who are under guardianship may make registration in e-identification accounts of their parents or guardians.

2. Foreigners entering Vietnam who are full 14 years of age or older are eligible for grant of e-identification accounts; foreigners who are under 14 years of age or who are under guardianship may make registration in e-identification accounts of their parents or guardians.

3. Agencies and organizations established or registered to operate in Vietnam.

Article 12. Classification of levels of e-identification accounts

1. Level-1 e-identification accounts of Vietnamese citizens cover the information specified in Clause 1 and at Point a, Clause 2, Article 7 of this Decree. Level-1 e-identification accounts of foreigners cover the information specified in Clause 1 and at Point a, Clause 2, Article 8 of this Decree.

2. Level-2 e-identification accounts of individuals cover the information specified in Article 7 or 8 of this Decree.

3. E-identification accounts of organizations covering the information specified in Article 9 of this Decree are level-2 e-identification accounts.

Article 13. Use of e-identification accounts

1. E-identity subjects shall use e-identification accounts to log in and use features and utilities on the VNeID application and e-identification website.

2. E-identification accounts created by the electronic identification and authentication system may be used to perform administrative procedures and public administrative services in the electronic environment and carry out other activities to meet the needs of e-identity subjects.

3. Agencies, organizations and individuals may create accounts to serve their activities and shall have their accounts authenticated and ensure the accuracy of the accounts they have created, and decide on the level and use value of each level of accounts. Information used to create the account of a subject shall be provided by such subject or allowed for use by an agency, organization or individual to create the account.

4. The use of level-1 e-identification accounts created by the electronic identification and authentication system is valid to prove the information specified in Clause 1, Article 7 of this Decree, for e-identity subjects being Vietnamese citizens, or to prove the information specified in Clause 1, Article 8 of this Decree, for e-identity subjects being foreigners, in activities and transactions that require provision of personal information of e-identity subjects.

5. The use of level-2 e-identification accounts created by the electronic identification and authentication system for e-identity subjects being Vietnamese citizens is equivalent to the use of citizen identity cards in the performance of transactions that require production of citizen identity cards; and is valid for the provision of information in assorted papers of citizens which has been synchronized into their e-identification accounts for collation by competent agencies and organizations upon performance of transactions that require production of such papers.

6. The use of level-2 e-identification accounts created by the electronic identification and authentication system for e-identity subjects being foreigners is equivalent to the use of passports or international travel documents in the performance of transactions that require production of passports or international travel documents; and is valid for the provision of information in assorted papers of foreigners which has been synchronized into e-identification accounts for collation by competent agencies and organizations upon performance of transactions that require production of such papers.

7. E-identification accounts created by the electronic identification and authentication system for e-identity subjects being organizations shall be used by at-law representatives of such organizations or assigned to authorized persons for use. The use of e-identification accounts of organizations is valid to prove e-identities of such organizations upon the performance of transactions that require proof of information about such organizations; and is valid for the provision of information in assorted papers of such organizations which has been synchronized into e-identification accounts for collation by competent agencies and organizations upon the performance of transactions that require production of such papers.

8. When an e-identity subject uses a level-2 e-identification account in electronic transactions or activities, such use is as valid as production of papers and documents to prove that the information has been integrated into the e-identification account.

Chapter III

E-IDENTIFICATION ACCOUNTS AND E-AUTHENTICATION

Article 14. Order and procedures for registration of e-identification accounts for Vietnamese citizens

1. Registration of level-1 e-identification accounts via the VNeID application for citizens who have been granted chip-based citizen identity cards

a/ Citizens shall use mobile devices to download and install the VNeID application.

b/ Citizens shall use the VNeID application to enter information about their personal identification numbers and telephone numbers or email addresses; provide information according to provided instructions on the VNeID application; take portrait photos by mobile devices and send requests for grant of e-identification accounts to the electronic identification and authentication management agency via the VNeID application.

c/ The electronic identification and authentication management agency shall notify the account registration result via the VNeID application or SMS or email addresses.

2. Registration of level-2 e-identification accounts

a/ For citizens who have been granted chip-based citizen identity cards:

Citizens shall come to commune-level police offices or places for performance of procedures for grant of citizen identity cards to carry out procedures for grant of their e-identification accounts. Citizens shall produce their chip-based citizen identity cards, provide information on telephone numbers or email addresses, and request additional information to be integrated into their e-identification accounts.

The dossier-receiving officer shall enter the citizen-provided information into the electronic identification and authentication system; take portrait photos and fingerprints of citizens for authentication with the Citizen Identity Database and confirm the approval of registration to create e-identification accounts.

The electronic identification and authentication management agency shall notify account registration results via the VNeID application or SMS or email addresses.

b/ Police offices shall grant level-2 e-identification accounts together with grant of citizen identity cards in case citizens have not yet been granted chip-based citizen identity cards.

Article 15. Order and procedures for registration of e-identification accounts for foreigners

1. Registration of level-1 e-identification accounts

a/ Foreigners shall use mobile devices to download and install the VNeID application.

b/ Foreigners shall use the VNeID application to enter information about serial numbers of their passports or international travel documents and email addresses or telephone numbers (if any); provide information according to the instructions on the VNeID application; take portrait photos by mobile devices and send requests for grant of e-identification accounts to the electronic identification and authentication management agency via the VNeID application.

c/ The electronic identification and authentication management agency shall notify account registration results via the VNeID application or SMS or email addresses.

2. Registration of level-2 e-identification accounts

a/ Foreigners shall come to the immigration agency under the Ministry of Public Security or immigration agencies of provincial-level Police Departments to carry out procedures for registration of e-identification accounts, produce passports or international travel documents, provide information on email addresses or telephone numbers (if any) and request additional information to be integrated into their e-identification accounts.

b/ The dossier-receiving officer shall enter the foreigner-provided information into the electronic identification and authentication system; take portrait photos and fingerprints of foreigners for authentication with the National Database on Immigration and confirm the approval of registration to create e-identification accounts.

c/ The immigration agency shall send requests for grant of e-identification accounts to the electronic identification and authentication management agency.

d/ The electronic identification and authentication management agency shall notify account registration results via the VNeID application or SMS or email addresses.

Article 16. Order and procedures for registration of e-identification accounts for organizations

1. The at-law representative or the head of an organization (who already has a level- e-identification account) shall log in the VNeID application to register an e-identification account for the organization; provide information according to the instructions on the VNeID application and send a request for grant of an e-identification account to the electronic identification and authentication management agency via the VNeID application.

2. The electronic identification and authentication management agency shall authenticate information on the organization in the National Business Registration Database, national databases and other specialized databases. In case information on the organization is not yet available on the National Business Registration Database, national databases and other specialized databases, the electronic identification and authentication management agency shall verify information on the organization and notify the e-identification account registration result to the organization’s representative who comes to carry out procedures via the VNeID application or SMS or email address.

Article 17. Time limits for grant of e-identification accounts

After receiving a complete and valid dossier as specified in this Decree, the police office shall grant e-identification accounts within:

1. One working day, in case of grant of level-1 e-identification accounts, or 3 working days, in case of grant of level-2 e-identification accounts for Vietnamese citizens who have been granted chip-based citizen identity cards; or 7 working days for Vietnamese citizens who have not yet been granted chip-based citizen identity cards.

2. One working day, in case of grant of level-1 e-identification accounts; 3 working days, in case of grant of level-2 e-identification accounts for persons whose information on portrait photos and fingerprints is available on the National Database on Immigration; or 7 working days, in case of grant of level-2 e-identification accounts for persons whose information on portrait photos and fingerprints is not yet available on the National Database on Immigration, for foreigners.

3. For organizations:

a/ One working day, in case to-be-authenticated information on organizations is available on relevant national databases or specialized databases.

b/ Fifteen days, in case to-be-authenticated information on organizations is not available on relevant national databases or specialized databases.

Article 18. Activation of e-identification accounts

E-identity subjects shall activate their e-identification accounts on the VNeID application within 7 days after receiving a notice of the result of grant of their e-identification accounts. After 7 days, if their e-identification accounts remain inactivated, e-identity subjects shall contact the electronic identification and authentication management agency through the call center for receiving and settling requests on electronic identification and authentication in order to activate their accounts.

Article 19. Locking and unlocking of e-identification accounts

1. Locking of e-identification accounts of citizens

a/ The electronic identification and authentication system shall automatically record and lock an e-identification account in case the e-identity subject requests locking of his/her e-identification account, violates terms on use of the VNeID application, has his/her citizen identity card revoked, or dies. The recording shall be made through the e-identity subject’s declaration on the VNeID application or by the updating of e-identity information to the electronic identification and authentication system specified in Article 10 of this Decree.

b/ The proceeding-conducting body, competent authority or service user that requests locking of its/his/her e-identification account shall send a request for the locking to the police office for consideration and settlement.

c/ Within 2 working days, the head of the police office that receives the request for locking of the e-identification account shall approve the account locking for the case specified at Point b, Clause 1 of this Article and notify such to the agency or organization requesting the locking and the e-identity subject. In case of refusal to lock the account, the police office shall reply in writing, clearly stating the reason.

2. Locking of e-identification accounts of foreigners

a/ The electronic identification and authentication system shall automatically record and lock an e-identification account in case the e-identity subject requests locking of his/her e-identification account, violates terms on use of the VNeID application or dies or his/her passport or international travel document expires or his/her residence duration in Vietnam expires. The recording shall be made through the e-identity subject’s declaration on the VNeID application or by the updating of e-identity information to the electronic identification and authentication system specified in Article 10 of this Decree.

b/ The proceeding-conducting body, the competent authority or the service user that requests locking of its/his/her e-identification account shall send a request for the locking to the police office for consideration and settlement.

c/ Within 2 working days, the head of the police office that receives the request for locking of the e-identification account shall approve the account locking for the case specified at Point b, Clause 1 of this Article and notify such to the agency or organization requesting the locking and the e-identity subject. In case of refusal to lock the account, the police office shall reply in writing, clearly stating the reason.

3. Locking of e-identification accounts of organizations

a/ The electronic identification and authentication system shall automatically record and lock an e-identification account in case the e-identity subject requests locking of its e-identification account, violates terms on use of the VNeID application, is dissolved or ceases operation in accordance with law. The recording shall be made through the e-identity subject’s declaration on the VNeID application or by the updating of e-identity information to the electronic identification and authentication system specified in Article 10 of this Decree.

b/ The proceeding-conducting body, the competent authority or the service user that requests locking of its/his/her e-identification account shall send a request for the locking to the police office for consideration and settlement.

c/ Within 2 working days, the head of the police office that receives the request for locking of the e-identification account shall approve the account locking for the case specified at Point b, Clause 1 of this Article and notify such to the agency or organization requesting the locking and the e-identity subject. In case of refusal to lock the account, the police office shall reply in writing, clearly stating the reason.

4. Unlocking of e-identification accounts

a/ The electronic identification and authentication system shall automatically unlock an e-identification account immediately when bases for automatic locking of the e-identification account no longer exist;

b/ The proceeding-conducting body, the competent authority or the service user that requests unlocking of its/his/her e-identification account shall send a request for the unlocking to the police office for consideration and settlement.

c/ Within 2 working days, the head of the police office that receives the request for unlocking of the e-identification account shall approve the account unlocking for the case specified at Point b, Clause 2 of this Article and notify such to the agency or organization requesting the unlocking and the e-identity subject. In case of refusal to unlock the account, the police office shall reply in writing, clearly stating the reason.

5. Forms of request for locking and unlocking of e-identification accounts:

a/ An e-identity subject shall follow the instructions on the VNeID application to request the locking of its/his/her e-identity account;

b/ The e-identity subject shall contact the call center for receiving and settling requests for electronic identification and authentication, and provide information for authentication of the e-identification account holder to request locking or unlocking of its/his/her e-identification account;

c/ The e-identity subject shall come to the electronic identification and authentication management agency and provide information for authentication of the e-identification account holder to request locking or unlocking of its/his/her e-identification account.

6. Locking and unlocking of e-identification accounts upon requests of proceeding-conducting bodies and competent authorities

Proceeding-conducting bodies and competent authorities shall send a written request to the electronic identification and authentication management agency for locking or unlocking of e-identification accounts, clearly stating the reason for and duration of the locking.

Article 20. Competence to grant e-identification accounts and decide on locking and unlocking of e-identification accounts

1. The Director of the Police Department for Administrative Management of Social Order of the Ministry of Public Security has the competence to grant e-identification accounts; decide on automatic locking and unlocking of e-identification accounts in the electronic identification and authentication system and request locking and unlocking of e-identification accounts of department-level agencies or the equivalent and higher-level agencies.

2. Heads of Police Divisions for Administrative Management of Social Order of provincial-level Police Departments may decide on locking and unlocking of e-identification accounts, for requests received at provincial-level Police Departments.

3. Heads of district-level police offices may decide on locking and unlocking of e-identification accounts, for requests received at district-level police offices.

4. Heads of commune-level police stations may decide on locking and unlocking of e-identification accounts, for requests received at commune-level police stations.

Article 21. Storage of information in the electronic identification and authentication system

1. Information on e-identification accounts shall be permanently stored in the electronic identification and authentication system.

2. Information on the history of use of e-identification accounts shall be stored in the electronic identification and authentication system for 5 years from the time such an account is used.

Article 22. Connection and use of e-identification accounts created by the electronic identification and authentication system

1. Conditions for an organization or individual to connect to the electronic identification and authentication system:

a/ Having infrastructure facilities and information system for the connection;

b/ Having a safe information system serving the connection that meets the law-specified criteria for an information system of level 3 or higher level.

2. Order, procedures and dossiers of request for connection:

a/ An individual or organization that wishes for connection to the electronic identification and authentication system shall send a written request for connection to the electronic identification and authentication management agency, clearly stating the scope and purpose of the connection, enclosed with papers and documents proving his/her/its satisfaction of the conditions for connection specified in Clause 1 of this Article.

b/ Based on the conditions for connection specified in Clause 1 of this Article and the scope and purpose of connection of the connection-requesting individual or organization, the electronic identification and authentication management agency shall organize appraisal and on-site inspection and decide to permit the connection.

c/ Within 30 days after receiving the connection request, the electronic identification and authentication management agency shall consider and issue a decision to permit the connection; if refusing to permit the connection, it shall issue a written reply, clearly stating the reason.

3. Conducting the connection:

a/ After the electronic identification and authentication management agency issues a written approval of connection of the electronic identification and authentication system with the information system of an organization or individual, the organization providing e-authentication services shall conduct the connection under a service provision contract signed with such individual or organization.

b/ The organization providing e-authentication services shall cease the connection in case the individual or organization violates the service use agreements in the service provision contract, and report such cessation to the electronic identification and authentication management agency for notification to the individual or organization.

Article 23. E-authentication

1. Agencies managing specialized databases, state agencies, political organizations, socio-political organizations, and public service organizations may authenticate information of e-identity subjects through agencies managing national databases or specialized databases and the electronic identification and authentication system; and authenticate e-identification accounts via the electronic identification and authentication system.

2. Individuals and organizations other than those specified in Clause 1 of this Article may authenticate e-identification accounts created by the electronic identification and authentication system through organizations providing e-authentication services in order to authenticate that such accounts are created by the electronic identification and authentication system and remain valid upon the performance of administrative procedures, public administrative services and other transactions in the electronic environment. Organizations providing e-authentication services may not authenticate identity information and other information of e-identification account holders, except cases of necessity as decided by the Minister of Public Security.

The authentication of e-identification accounts upon requests of individuals and organizations other than those specified in Clause 1 of this Article shall be carried out according to agreements in service provision contracts signed with organizations providing e-authentication services. The authentication of e-identification accounts shall be approved by e-identity subjects.

3. Ministers, ministerial-level agencies and provincial-level People’s Committees managing national databases and specialized databases shall guide the authentication of information of e-identity subjects which is available on databases under their management.

Article 24. Levels of authentication of e-identification accounts

1. Level 1: The authentication of e-identification accounts shall be performed based on one authentication factor specified in Clause 9, Article 3 and the means of authentication specified in Clause 10, Article 3 of this Decree, without any biometric information.

2. Level 2: The authentication of e-identification accounts shall be performed based on two different authentication factors specified in Clause 9, Article 3 and the corresponding means of authentication specified in Clause 10, Article 3 of this Decree, without any biometric information.

3. Level 3: The authentication of e-identification accounts shall be performed based on two or more different authentication factors specified in Clause 9, Article 3 and the corresponding means of authentication specified in Clause 10, Article 3 of the Decree, including one biometric information item.

4. Level 4: The authentication of e-identification accounts shall be performed based on authentication factors including portrait photo and fingerprints against information on the citizen identity card or in the Citizen Identity Database or the National Database on Immigration.

Article 25. Methods of e-authentication in performance of transactions via the electronic identification and authentication system

1. For online transactions, e-authentication shall be performed via means of authentication suitable to the level of security required by the concerned online service providers.

2. For the cases in which the authentication of account information is performed at the place of transaction, the authentication shall be performed via the authentication solution provided on the VNeID application.

Chapter IV

E-AUTHENTICATION SERVICES

Article 26. E-authentication services

1. E-authentication services constitute a conditional business line.

2. Organizations providing e-authentication services must satisfy the conditions specified in Article 27 of this Decree and obtain a certificate of eligibility for provision of e-authentication services granted by the Ministry of Public Security.

3. Agencies, organizations and individuals that create identification accounts under Clause 3, Article 13 of this Decree are not required to comply with Articles 27, 28, 29 and 30 of this Decree.

Article 27. Conditions for provision of e-authentication services

1. Conditions on an organization/enterprise

Being a public non-business unit or an enterprise of the People’s Public Security forces.

2. Conditions on personnel

a/ The head of the organization or the at-law representative of the enterprise is a Vietnamese citizen permanently residing in Vietnam.

b/ The organization/enterprise must have personnel who possess university or higher degree in information security or information technology or electronics and telecommunications to take charge of service provision, system administration, system operation, and assurance of information security for its system.

3. Conditions on techniques and processes for management of the provision of e-authentication services and security and order assurance plans

The organization/enterprises applying for a certificate of eligibility for provision of e-authentication services must have a Scheme on provision of e-authentication services, comprising the following documents:

a/ Plans and processes of provision of e-authentication services, including commentaries on the information technology system; commentaries on the technical plan of technological solutions; plan on data storage and assurance of data integrity and information security for the e-authentication service system; plan on protection of personal data of related individuals and organizations; plan on assurance of security and order; plan on fire prevention and fighting, disaster prevention and assurance of stable and smooth operation of the e-authentication service system;

b/ A document introducing its owned machinery and equipment currently based in Vietnam in conformity with the requirements of the law on fire and explosion prevention and fighting, which are resistant to flood, inundation, earthquake, electromagnetic interference, and unauthorized human intrusion.

Article 28. Dossier, order and procedures for grant of a certificate of eligibility for provision of e-authentication services

1. Dossier composition:

a/ An application for a certificate of eligibility for provision of e-authentication services, made according to Form XT01 provided in the Appendix to this Decree;

b/ The Scheme and descriptive documents as specified in Clause 3, Article 27 of this Decree.

2. Order, time limit and method of grant of a certificate:

a/ An organization/enterprise shall hand-deliver or send by post to the Ministry of Public Security or submit via the National Public Service Portal or the Ministry of Public Security’s Public Service Portal 1 set of dossier of application for a certificate of eligibility for provision of e-authentication services specified in Clause 1 of this Article;

b/ In case the dossier is not complete or valid as specified in Clause 1 of this Article, within 3 working days after receiving it, the Ministry of Public Security shall notify thereof in writing to the organization/enterprise for the latter to supplement the dossier;

c/ Within 3 working days after receiving a valid dossier, the Ministry of Public Security shall consult related ministries and ministerial-level agencies; within 10 days after receiving the consultation document from the Ministry of Public Security, the consulted ministries and ministerial-level agencies shall give their written replies;

d/ Within 30 days after receiving a complete and valid dossier, the Ministry of Public Security shall carry out the appraisal and physical examination at the organization/enterprise and grant a certificate of eligibility for provision of e-authentication services, made according to Form XT03 provided in the Appendix to this Decree, to the organization/enterprise if the latter is qualified; in case of refusal to grant the certificate, the Ministry of Public Security shall issue a written notice clearly stating the reason.

Article 29. Re-grant and modification of certificates of eligibility for provision of e-authentication services

1. A certificate of eligibility for provision of e-authentication services shall have its contents modified in case the concerned organization/enterprise changes one of the following information items: at-law representative, address of head office, transaction name, and plan and process already appraised by the Ministry of Public Security according to Clause 3, Article 27 of this Decree.

The organization/enterprise shall submit 1 set of dossier of request for modification of the certificate of eligibility for provision of e-authentication services to the Ministry of Public Security as specified at Point a, Clause 2, Article 28 of this Decree. Such a dossier must comprise a request for modification of the certificate of eligibility for provision of e-authentication services, made according to Form XT02 provided in the Appendix to this Decree, and documents demonstrating the changes in information.

a/ In case the organization/enterprise changes one of the information items on its at-law representative, address of head office or transaction name, within 10 days after receiving a complete and valid dossier, the Ministry of Public Security shall appraise the dossier and grant a certificate of eligibility for provision of e-authentication services to the organization/enterprise, if the latter is qualified; in case of refusal to modify the certificate, it shall issue a written notice clearly stating the reason;

b/ In case the organization/enterprise changes one of the information items on the plan and process for provision of e-authentication services, within 30 days after receiving a complete and valid dossier, the Ministry of Public Security shall appraise the dossier, consult related ministries and ministerial-level agencies, conduct physical examination and grant a certificate of eligibility for provision of e-authentication services to the organization/enterprise if the latter is qualified; in case of refusal to modify the certificate, it shall issue a written notice clearly stating the reason.

2. Re-grant of a certificate of eligibility for provision of e-authentication services which is lost or damaged:

a/ The organization/enterprise shall submit 1 set of dossier of request for re-grant of the certificate of eligibility for provision of e-authentication services to the Ministry of Public Security as specified at Point a, Clause 2, Article 28 of this Decree. Such a dossier must comprise a request for re-grant of a certificate of eligibility for provision of e-authentication services, made according to Form XT02 provided in the Appendix to this Decree;

b/ Within 3 working days after receiving the request, the Ministry of Public Security shall consider and re-grant the certificate of eligibility for provision of e-authentication services to the organization providing e-authentication services; in case of refusal to re-grant the certificate, it shall issue a written notice clearly stating the reason.

Article 30. Revocation of certificates of eligibility for provision of e-authentication services

1. An organization/enterprise providing e-authentication services shall have its certificate revoked in the following cases:

a/ The organization/enterprise has not been operating continuously for 6 months or more;

b/ The organization/enterprise is dissolved or goes bankrupt in accordance with law;

c/ The organization/enterprise no longer provides e-authentication services;

d/ The organization/enterprise violates the law on protection of personal data, information security or cyber security.

2. The Ministry of Public Security shall issue decisions on revocation of certificates of eligibility for provision of e-authentication services, made according to Form XT04 provided in the Appendix to this Decree.

3. Organizations providing e-authentication services whose certificates are revoked shall be responsible for guaranteeing the lawful rights and interests of e-identity subjects and related parties in accordance with law.

Article 31. Expenses for grant and use of e-identification accounts and use of e-authentication services

1. E-identity subjects that are Vietnamese agencies, organizations or citizens are not required to pay expenses for registration for grant of e-identification accounts and expenses for use of e-identification accounts created by the electronic identification and authentication system.

2. Organizations and individuals using e-authentication services shall pay expenses to organizations providing e-authentication services in accordance with law.

Chapter V

RESPONSIBILITIES OF AGENCIES, ORGANIZATIONS AND INDIVIDUALS

Article 32. Responsibilities of e-identity subjects

1. To protect e-identity information.

2. To ensure security of authentication factors.

3. To immediately notify organizations providing e-authentication services when losing control of means of authentication or detecting unauthorized users of their e-identities or having other reasons that may cause unsafe use of e-authentication services.

Article 33. Responsibilities of service users

1. To abide by technical regulations on electronic identification and authentication.

2. To manage and ensure confidentiality of information on e-identification accounts and ensure safe use of e-identification accounts.

3. To take responsibility for the transactions they have performed and comply with regulations of related parties with regard to e-transactions.

Article 34. Responsibilities of organizations providing e-authentication services and agencies, organizations and individuals creating accounts by themselves

1. Responsibilities of organizations providing e-authentication services

a/ To provide e-authentication services to organizations and individuals on the basis of service provision contracts;

b/ To operate communication channels and provide services around the clock;

c/ To comply with the laws on cyberinformation security, cyber security, and e-transactions, and standards and technical regulations in the field of e-authentication;

d/ To comply with plans and processes for provision of e-authentication services appraised by the Ministry of Public Security;

dd/ To send reports on e-authentication activities to the electronic identification and authentication management agency on a biannual basis or an annual basis or at the request of the electronic identification and authentication management agency.

2. Responsibilities of agencies, organizations and individuals that create accounts for their own activities:

a/ To take responsibility for the accuracy of the accounts they create;

b/ To protect personal data they collect and manage in accordance with law;

c/ To obtain the consent of data subjects in all activities related to the management, exploitation and use of data;

d/ To delete data they collect and manage at the request of the data subjects, unless otherwise provided for by law;

dd/ To send reports on identification activities to the electronic identification and authentication management agency upon request.

Article 35. Responsibilities of the Ministry of Public Security

1. To build, manage, protect and operate the electronic identification and authentication system; to apply e-identification accounts in state management, administrative reform, and disaster and epidemic prevention and control.

2. To perform the state management of electronic identification and authentication.

3. To issue guidance on technical standards, processes and conditions for ensuring connection with the electronic identification and authentication system; and the process for e-authentication of organizations providing e-authentication services.

4. To assume the prime responsibility for, and coordinate with ministries and ministerial-level agencies in, connecting national databases and specialized databases in service of electronic identification and authentication.

5. To assume the prime responsibility for, and coordinate with the Ministry of Information and Communications, Ministry of National Defense, Ministry of Justice and related ministries and ministerial-level agencies in, inspecting and examining electronic identification and authentication activities.

6. To settle complaints and denunciations about, and guide agencies, organizations and individuals in, registration and management of electronic identification and authentication.

7. To connect and integrate the electronic identification and authentication system with the e-identity exchange platform of the National Public Service Portal to serve the settlement of administrative procedures and provision of online public services in accordance with law.

8. To guide the application of standards and technical regulations in electronic identification and authentication activities.

9. To assume the prime responsibility for, and coordinate with the Ministry of Information and Communications, Ministry of National Defense and Government Cipher Committee in, ensuring information security and confidentiality for the electronic identification and authentication system.

10. To assume the prime responsibility for, and coordinate and reach agreement with ministries, ministerial-level agencies and government-attached agencies in, specifying types of papers and documents for, and plans on, synchronization of information into e-identification accounts.

11. To assume the prime responsibility for, and coordinate and reach agreement with ministries, ministerial-level agencies, government-attached agencies, Government Cipher Committee, and provincial-level People’s Committees in, specifying plans on data connection and sharing for use of e-identities and e-identification accounts provided or created by the electronic identification and authentication system; and in ensuring information confidentiality and security.

12. To coordinate with ministries, ministerial-level agencies, government-attached agencies, and provincial-level People’s Committees in authenticating and synchronizing data of accounts created and used by the National Public Service Portal and ministerial- and provincial-level information systems for settlement of  administrative procedures with accounts created by the electronic identification and authentication system.

13. To assume the prime responsibility for, and coordinate with the Ministry of Justice, Ministry of Planning and Investment and Ministry of National Defense in, ensuring the connection, sharing and updating of information in the National Population Database, the National Database on Immigration, the Electronic Civil Status Database, and the National Business Registration Database to serve electronic identification and authentication.

14. To ensure that the communication channel and the electronic identification and authentication system operate around the clock.

Article 36. Responsibilities of the Ministry of Information and Communications

1. To ensure the use of e-identities and e-identification accounts to perform administrative procedures and public administrative services in the electronic environment according to their functions.

2. To assume the prime responsibility for, and coordinate with the Ministry of Public Security in, providing technical regulations on connection between the National Data Integration and Sharing Platform and the Electronic Identification and Authentication Platform and other related systems, ensuring information confidentiality and security.

3. To coordinate with the Ministry of Public Security and Ministry of National Defense in ensuring information security and confidentiality for the electronic identification and authentication system.

Article 37. Responsibilities of the Ministry of National Defense

1. To guide its attached agencies, units, enterprises and individuals to conduct electronic identification and authentication in accordance with regulations on protection of state secrets in the field of national defense.

2. To ensure the use of e-identities and e-identification accounts to perform administrative procedures and public administrative services in the electronic environment within its management functions prescribed by law.

3. To coordinate and reach agreement with the Ministry of Public Security in specifying plans on connection and sharing for use of e-identities and e-identification accounts provided and created by the electronic identification and authentication system.

4. To coordinate with the Ministry of Public Security in ensuring information security and cyber security for the electronic identification and authentication system.

Article 38. Responsibilities of the Government Cipher Committee

1. To guide the application of standards and technical regulations on civil cryptography and use of the Government’s specialized digital signature authentication services in electronic identification and authentication activities.

2. To assume the prime responsibility for, and coordinate with the Ministry of Public Security in, assessing cryptographic safety for users of e-authentication services.

3. To coordinate with the Ministry of Public Security in ensuring information security and confidentiality in use of cryptographic products for the electronic identification and authentication system and use of e-identities and e-identification accounts in providing the Government’s specialized digital signature authentication services.

Article 39. Responsibilities of other ministries, ministerial-level agencies, government-attached agencies, and provincial-level People’s Committees

1. To coordinate with the Ministry of Public Security in connecting the electronic identification and authentication system with the National Public Service Portal and ministerial- and provincial-level information systems for settlement of administrative procedures to serve the settlement of public administrative services in the electronic environment; the deadline for completing the connection is June 30, 2024.

2. To ensure the use of e-identities and e-identification accounts for performance of administrative procedures and public administrative services in the electronic environment.

3. To coordinate and reach agreement with the Ministry of Public Security in specifying a plan for connection and sharing for use of e-identities and e-identification accounts provided and created by the electronic identification and authentication system, ensuring information security.

4. To ensure stable and smooth operation of national databases and specialized databases for authentication at the request of specialized database management agencies, state agencies, political organizations, socio-political organizations and other organizations assigned to perform public services.

Chapter VI

IMPLEMENTATION PROVISIONS

Article 40. Effect

1. This Decree takes effect on October 20, 2022.

2. Accounts granted by the National Public Service Portal or ministerial- and provincial-level information systems for settlement of administrative procedures may be used to perform administrative procedures and public administrative services in the electronic environment until July 1, 2024.

3. To amend and supplement Clause 1, Article 7 of the Government’s Decree No. 45/2020/ND-CP of April 8, 2020, on the performance of administrative procedures and public administrative services in the electronic environment, as follows:

“1. Organizations and individuals shall carry out administrative procedures on the National Public Service Portal or provincial- and ministerial-level information systems for settlement of administrative procedures via e-identification accounts which are created by the electronic identification and authentication system and connected and integrated on the National Public Service Portal”.

Article 41. Implementation responsibility

1. The Ministry of Public Security shall guide, inspect and urge the implementation of this Decree.

2. In the course of implementation, the Ministry of Public Security shall coordinate with the Ministry of Information and Communications in synthesizing and handling arising issues according to their state management functions and, when necessary, report thereon to the Prime Minister for consideration and decision.

3. Ministers, heads of ministerial-level agencies, heads of government-attached agencies, and chairpersons of provincial-level People’s Committees shall implement this Decree.-

On behalf of the Government
Prime Minister
PHAM MINH CHINH

* The Appendix to this Decree is not translated.