Highlights of new Decree on electronic identification and authentication
image_pdfimage_print

On 25 June 2024, the Government issued Decree No. 69/2024/ND-CP, regulating electronic identification and authentication (“Decree 69”). Decree 69 will take effect on 1 July 2024 and will replace Decree No.59/2022/ND-CP dated 5 September 2022, regulating the same (“Decree 59”).

In this article, we summarize significant new points of Decree 69 compared with Decree 59 as follows:

  1. Applied entities

In addition to the scope of application, applied entities are also expanded. Accordingly, Decree 69 applies not only to Vietnamese agencies, organizations and citizens as well as foreign organizations and individuals residing and operating in Vietnamese territory as stipulated in the former Decree but also foreign organizations and individuals directly participating in or related to electronic identification and authentication, and electronic identity card (“e-ID card”) activities.

  1. Interpretation

The new Decree:

(a) Adds:

(i) Agencies to Electronic identity subjects.

(ii) Authentication means means a number of methods that allow a user to perform electronic authentication, including not only a password, secret code, barcode, terminal, device or one-time password software, cryptographic equipment or software, identity cards (“ID card”), citizen identification cards (“citizen ID card”), passports, facial photos, fingerprints as provided in the former Decree but also voice, iris, or other tools and methods used for e-authentication purposes.

(b) Amends:

(i) An Electronic identification account is a collection of login names, passwords or other means of authentication created by an e-identification and authentication management agency; used to access and use the features, utilities, and applications of the e-identification and authentication system and the information system that has been connected and shared according to the provisions of law.

(ii) Electronic authentication is the activity of authenticating, confirming, affirming, certifying, providing electronic identity (“e-ID”), electronic identification account (“e-ID account”) or other information belonging to National population database, Identification database, National immigration database through the Electronic Identification and Authentication (“EIA”) system and platform.

(iii) Authentication factor is an authentication means used to accurately certify and confirm the e-ID subject before accessing and exploiting information in the EIA system.

(c) Renames the application “VNelD” on digital devices as National Identification Application, collectively calls “dinhdanhdientu.gov.vn” and “vneid.gov.vn” as Electronic Identification Websites. These are utilities created and developed by the Ministry of Public Security from the EIA system to perform EIA activities in handling administrative procedures and public administrative services and other transactions on the electronic environment; develop features, utilities, and applications to serve agencies, organizations, and individuals.

  1. Electronic Identity

(a) Electronic identity of an individual:

If the regulations on e-ID of foreigners under the former Decree are almost unchanged compared to Decree 59, still including: (a) Identification number of foreigners; (b) Surname, middle name and first name; (c) Date, month and year of birth; (d) Gender; (d) Nationality; (e) Number, symbol, date, month, year and place of issue of passport or valid international travel document; (g) Face photo; (h) Fingerprint; but clarifying that a foreigner’s identification number is the unique natural number sequence established by the EIA system to manage the e-ID of a foreign individual; the new Decree removes regulations on e-ID of Vietnamese citizens.

(b) Electronic identity of an agency or organization:

E-ID information of agencies and organizations is also expanded by Decree 69, including not only: (a) Identification number of agencies and organizations; (b) Name of agency or organization, including Vietnamese name, abbreviated name (if any) and name in foreign language (if any); (c) Date, month and year of establishment; (d) Head office address as provided in Decree 59 but also: (d) Tax code (if any); (e) Enterprise code (if any); (g) E-ID code of agency or organization (if any); (h) Full name, middle name, personal identification number (or foreigner’s identification number) of the legal representative or head of the agency or organization applying for an e-ID account. In which the identification number of an agency or organization is a unique natural number sequence established by the EIA system to manage the e-ID of an agency or organization.

  1. Electronic identification account

(a) Grant of an e-identification account:

The new Decree provides more specific regulations on the grant of e-ID accounts, accordingly:

(i) Vietnamese citizens aged 14 years or older who have been issued a valid ID card or citizen ID card are granted level 1 and level 2 e-ID accounts;

(ii) Vietnamese citizens from 6 years old to under 14 years old who have been issued an ID card will be granted a level 1 e-ID account, a level 2 e-ID account on demand;

(iii) Vietnamese citizens under 6 years old who have been issued an ID card will be granted a level 1 e-ID account on demand;

(iv) Foreigners aged 6 years or older who have been granted permanent or temporary residence cards in Vietnam are granted level 1 e-ID accounts, and level 2 e-ID accounts on demand;

(v) Foreigners under 6 years old who are issued permanent or temporary residence cards in Vietnam are granted level 1 e-ID accounts on demand; and

(vi) Agencies and organizations established or registered to operate in Vietnam are granted e-ID accounts regardless of level.

(b) Use of electronic identification account:

Decree 69:

(i) Adding new regulations on the use of e-ID accounts and other electronic transaction (“e-transaction”) accounts created by agencies, organizations and individuals; accordingly:

  • Level 1 e-ID accounts of Vietnamese citizens and foreigners are used to access, exploit, and use information about e-ID and some features, utilities, and applications of the EIA system and of information systems that have been connected and shared according to the provisions of law;
  • Level 2 e-ID accounts of Vietnamese citizens are used to access, exploit, and use e-ID cards; information other than the information integrated into e-ID cards are shared, integrated, and updated from the national database, specialized databases and all features, utilities and applications of the EIA system and of information systems that have been connected and shared according to the provisions of law;
  • Level 2 e-ID accounts of foreigners and e-ID accounts of agencies and organizations are used to access, exploit and use e-ID information and other information shared, integrated and updated from the national database, specialized database and all features, utilities and applications of the EIA system and of the information systems that have been connected and shared according to the provisions of law;

(ii) Makes amendments to further clarify the use of e-transaction accounts; accordingly:

  • Agencies, organizations and individuals may create e-transaction accounts in accordance with the laws on e-transactions to serve their transactions and activities and are responsible for authenticating and ensuring accuracy of the accounts they create, decide the level and usage value of each level of account. Information to create an e-transaction account must be provided by the account holder and consented to be used by the agency, organization or individual in order to create the account;
  • Representatives and guardians use e-ID accounts of people under 14 years old, wards, and representatives to carry out transactions and other activities to serve the latters’ rights and interests;
  • To use their e-ID accounts, people under 14 years old, wards, and principals must obtain the consent and confirmation of their representatives or guardians through the National Identification Application;
  • The EIA management agency connects, shares, and authenticates data for e-ID subjects to use their e-ID accounts in other countries according to international treaties that Vietnam has executed;

(iii) Provides more comprehensive regulations on the probative value of e-ID information and e-ID account information; accordingly:

  • Information about e-ID and information integrated into e-ID cards and e-ID accounts have probative value, equivalent to provision of information or use and presentation of papers and documents containing that information in carrying out administrative procedures, public services, transactions and other activities.
  • The use of e-ID accounts and e-authentication services has legal value to confirm and prove that the e-ID subject has performed and approved the transaction.

 (c) Granting, locking and unlocking electronic identification accounts:

 The new Decree stipulates in more detail the processes, procedures, and authority to grant, lock, and unlock e-ID accounts for Vietnamese citizens, foreigners, agencies, and organizations; However, the time-limit for granting e-ID accounts remains unchanged as prescribed in the former Decree.

(d) Activating an electronic identification account:

Decree 69 continues to require e-ID subjects to activate e-ID accounts on the National Identification Application within 7 days from the date of receiving notice of results of granting e-ID accounts. After 7 days, if the e-ID account is not activated, the e-ID subject must contact the EIA management agency through the help desk and support center to receive and resolve requests for e-identification and authentication in order to activate the e-ID account.

  1. Electronic Identity

Decree 69:

(a) for the first time, defines e-ID card presented as a feature and utility of the National Identification Application through access to citizens’ e-ID accounts granted along with granting level 2 e-ID accounts to Vietnamese citizens. The use of e-ID card through accessing a citizen’s level 2 e-ID account has the same value as using a valid ID card or citizen ID card in carrying out administrative procedures, public services, and other transactions and activities; and

(b) detailing the order of and procedures for granting, locking and unlocking e-ID cards.

  1. Electronic authentication

(a) Conditions for and order of electronic authentication:

Decree 69 adds new regulations, accordingly:

(i) E-authentication for e-ID and e-ID accounts is carried out through the EIA system and platform;

(ii) Individuals and organizations that are not State agencies, political organizations, socio-political organizations, or public service providers are required to electronically authenticate through the service of an organization providing e-authentication services;

(iii) The implementation of e-authentication for e-IDs and e-ID accounts at the request of organizations and individuals must be approved by the e-ID subjects through their confirmation on the National Identification Application or SMS text message via the owner’s phone number or other forms of confirmation as required by law;

(iv) Organizations and individuals are not allowed to provide or share e-authentication results to/with other organizations or individuals, unless otherwise required by the laws on personal data protection; and

(v) E-authentication results have no value as an authentication factor in other transactions.

(b) Authentication levels of electronic identification accounts:

The new Decree continues to maintain the provisions of the former Decree on four authentication levels of e-ID accounts, accordingly:

(i) Level 1: E-ID account authentication is performed based on an authentication factor and corresponding authentication means, in which there is no biometric information.

(ii) Level 2: E-ID account authentication is performed based on two different authentication factors and corresponding authentication means, in which there is no biometric information.

(iii) Level 3: E-ID account authentication is performed based on two or more different authentication factors and corresponding authentication means including a biometric information.

(iv) Level 4: E-ID account authentication is performed based on authentication factors, including at least 1 biometric factor (face image, fingerprint, voice, iris), at least 1 element owned by the e-ID subject (ID card, digital device, software) and 1 element known by the e-ID subject (password; secret code; 2-dimensional barcode).

(c) Electronic Authentication Service:

Decree 69 continues to defines e-authentication services as a conditional business line. Organizations providing these services must meet statutory conditions and be certified by the Ministry of Public Security as eligible to provide e-authentication services. The new Decree maintains the provisions of the former Decree on conditions for providing e-authentication services; however, additionally requires that organizations providing e-authentication services are responsible for displaying the list of e-authentication products and services they provide on the Electronic Identification Websites.

In addition, organizations providing e-authentication services may entrust other organizations to perform a number of activities, including: consulting, introducing, and answering questions about e-authentication services; finding partners, negotiating and agreeing on contents related to activities and utilities providing authentication services; supporting and caring for customers using services and other trade promotion activities according to the laws. Entrustment activities will be carried out in accordance with the provisions of law.

  1. Information storage in the electronic identification and authentication system

The new Decree maintains the information storage period in the EIA system as specified in the former Decree, in which:

(a) All information about e-ID, e-ID card and other information integrated into e-ID accounts are permanently stored in the EIA system.

(b) All historical information on e-ID card use and access of e-ID accounts are stored in the EIA system for a minimum period of 5 years from the time of use and access.

—–

Back