Thông tư 25/2010/TT-BTTT

CIRCULAR

ON COLLECTION, USE, SHARING, SECURITY ASSURANCE AND PROTECTION OF PERSONAL INFORMATION ON WEBSITES OR PORTALS OF STATE AGENCIES

Pursuant to the June 29, 2006 Law on Information Technology;
Pursuant to the Government's Decree No. 64/ 2007/ND-CP of April 10, 2007, on application of information technology to the operation of state agencies;
Pursuant to the Government's Decree No. 187/2007/ND-CP of December 25, 2007, defining the functions, tasks, powers and organizational structure of the Ministry of Information and Communications;
At the proposal of the Director of the Information Technology Application Department,

STIPULATES:

Chapter I

GENERAL PROVISIONS

Article 1. Scope of regulation

This Circular provides the collection, use and sharing of, and measures to ensure security for and protect, personal information on websites or portals of state agencies (below referred to as portals).

Article 2. Subjects of application

1. State agencies defined under Decree No. 64/200/ND-CP which are managing and operating portals (below referred to as managing agencies).

2. Individuals who exploit and use portals of state agencies.

Article 3. Interpretation of terms

In this Circular, the terms below are construed as follows:

1. Website means a web page or a collection of web pages in a network environment which serves the provision and exchange of information.

2. Portal means the sole access point in a network environment linking and integrating information channels, services and applications, through which users can exploit and use information and personalize information display.

3. Personal information means information sufficient to precisely identify an individual, which includes at least one of the following details: full name, birth date, occupation, title, contact address, email address, telephone number, identity card number and passport number. Information of personal privacy includes health record, tax payment record, social insurance card number, credit card number and other personal secrets.

4. Homepage means the first web page seen by users when opening a portal at the address registered by and licensed to an agency or organization.

5. User means an individual exploiting and using portals of state agencies or his/her representative at law.

Article 4. Principles of collection, use, sharing, security assurance and protection of personal information

1. The collection, use and sharing of personal information through portals of slate agencies are protected and assure security.

2. The exchange, transmission and storage of personal information on portals are protected and assure security under law.

3. The collection and use of-personal information must be consented by individuals unless otherwise provided by law.

4. Personal information security assurance and protection are compulsory in the designing, formation, operation, maintenance and upgrading of portals of state agencies.

Chapter II

COLLECTION, USE AND SHARING OF PERSONAL INFORMATION

Article 5. Collection of personal information

1. Managing agencies shall publicize and guide on their portals forms, scope and purposes of personal information collection and use for individuals.

2. Personal information can be provided by users themselves upon their use of online public services or automatically collected upon users' f access to portals.

3. Managing agencies shall create electronic integrated forms in the portal system to collect personal information.

Article 6. Use of personal information

1. Managing agencies may use personal information only for the purposes clearly stated before collecting information.

2. Managing agencies shall provide options to limit details and scope of use of personal information.

Article 7. Personal information access and updating

1. Managing agencies shall provide users with the right to access their personal information.

2. An individual who cannot access his/her information may request a managing agency to re-grant information on his/her access account.

3. An individual may request a managing agency to check, correct and add his/her information.

4. An agency that has provided personal information to another state agency shall promptly notify the latter of revised information for earliest updating.

Article 8. Provision and sharing of personal information

1. A managing agency may neither provide nor share personal information it has collected, accessed or controlled to a third party unless so consented by concerned individuals or otherwise provided by law.

2. The mechanism to ask for users' permission for provision and sharing of their personal information must allow users to opt for acceptance or rejection in a separate step without establishing a default option of acceptance by users.

3. A user may request certification of personal information details stored by a managing agency.

4. When receiving personal information from another state agency under law, a managing agency shall assure security for such information and use it for proper purposes.

Chapter III

PERSONAL INFORMATION SECURITY ASSURANCE AND PROTECTION MEASURES

Article 9. Personal information security assurance and protection

1. Managing agencies shall elaborate and issue regulations on personal information security assurance and protection; guide and regularly examine their implementation; and assure their portals' conformity with standards and technical regulations on personal information security.

2. Managing agencies are not liable for personal information security assurance and protection in the following cases:

a/ Personal information is disclosed and publicized by information receiving agencies;

b/ Personal information is accidentally or deliberately disclosed and shared by users.

Article 10. Surveillance of personal information use

1. A managing agency shall elaborate and issue a regulation on personal information security assurance and protection upon exploitation and use of online public services on its portal.

2. This regulation must cover simple and clear rules on personal information management for appropriate and effective application suitable to the online provision of information and public services on the portal.

3. The regulation on personal information security assurance and protection must be maintained and its implementation be regularly supervised.

Article 11. Publicity of regulations on personal information security assurance and protection

1. A managing agency shall clearly publicize on the homepage its regulations on personal information security assurance and protection or provide a mechanism allowing users' easy access to these regulations on the portal.

2. Regulations on personal information security assurance and protection must meet the following requirements:

a/ Being simple, clear, easy to understand and appropriate to the nature and process of related matters and not overlapping;

b/ Being scientifically organized, allowing printout, subsequent display and online access;

c/ Describing the processing of personal information after being collected on portals; listing information details which can be shared to a third party;

d/ Being clearly displayed to users before they send their personal information.

3. When regulations on personal information security assurance and protection change in any forms, managing agencies shall publish updated information on portals.

Article 12. Technical measures for personal information security assurance and protection

1. A managing agency shall take technical measures to guarantee data and computer network security and personal information security and protection; and prevent illegal access, use, change and transmission of personal information and other illegal acts.

2. A managing agency shall apply a process for personal information security assurance and protection.

3. A managing agency shall employ coding technology for information of personal privacy.

4. A managing agency shall apply a technical infrastructure security management process which includes (but is not limited to):

a/ Formation of a firewall system:

b/ Coding of signals in transmission lines;

c/ Use of accounts and passwords;

d/ Establishment of backup solutions and equipment system which allow automatic data recovery;

e/ Use of special-use equipment with automatic security functions against hacking.

5. A managing agency shall observe standards and technical regulations on personal information security assurance and protection in sharing and exchanging information with other state agencies.

Article 13. Storage of personal information

1. A managing agency shall store personal information on its portal till it is no longer necessary for its provision of registered online public services and comply with state regulations on archives.

2. Personal information collected for survey and statistical purposes must be removed upon completion of survey or statistical work.

Article 14. Assurance of technological compatibility

A managing agency or an organization or enterprise hired to set up and maintain the portal system of a state agency shall apply relevant standards and technical regulations on personal information security assurance and protection.

Article 15. Inspection and assessment of personal information security assurance and protection

1. A managing agency shall regularly inspect and assess the level of personal information security assurance and protection.

2. The inspection and evaluation process must meet the following requirements:

a/ Observance of law;

b/ Identification of information to be collected, purposes of information collection and use and agencies entitled to personal information sharing;

c/ Assessment of efficiency and risks of personal information collection, use and sharing;

d/ Inspection and assessment of the level of personal information security assurance and protection;

e/ Inspection of infrastructure's conformity with prescribed technical standards and technical regulations in terms of information security;

f/ Adoption of preventive measures to mitigate adverse impacts upon occurrence of personal information insecurity incidents;

g/ Study of portals' limits related to personal information integrity to take prompt remedies.

3. When a portal has changes or is upgraded, its managing agency shall immediately reassess the level of personal information security assurance and protection.

Article 16. Conditions on personal information security assurance and protection

1. Cadres and civil servants of managing agencies are conversant with law and their agencies' regulations on personal information security assurance and protection.

2. Technicians are recruited, trained and regularly retrained in professional operations relevant to their assigned tasks and given appropriate working conditions.

3. Technicians of managing agencies are prioritized to take charge of security assurance and protection of personal information stored on their portals. When necessary, outside information security assurance services may be used, provided that written commitment to personal information security assurance and protection must be made by service providers.

4. Managing agencies shall allocate funds for security assurance and protection of personal information on portals.

Chapter IV

ORGANIZATION OF IMPLEMENTATION

Article 17. Responsibilities of managing agencies

1. To observe this Circular to ensure that personal information provided on portals is used properly, not lost, stolen, disclosed, changed or destroyed.

2. To coordinate with competent agencies in investigating and handling violations of the law on personal information security assurance and protection .

3. To disseminate and ensure the implementation of regulations on personal information security assurance and protection within their agencies.

4. To disseminate and raise awareness about purposes, role and significance of personal information security assurance and protection for organizations and individuals providing and exploiting information and using online public services on portals.

Article 18. Responsibilities of users

1. To accurately, fully and truthfully provide personal information to receive online public services or when so requested by state agencies and take responsibility for their personal information provided.

2. To keep confidential their personal accounts when exploiting and using portals of stale agencies and take full responsibility for all transactions made through their accounts.

3. To observe regulations and guidance of state agencies for security assurance and protection of personal information on portals.

Article 19. Responsibilities for implementation guidance

1. The Information Technology Application Department under the Ministry of Information and Communications shall disseminate, guide and urge the implementation of this Circular; annually assess personal information security assurance and protection on portals of ministries, ministerial-level agencies, government-attached agencies and provincial-level People's Committees.

2. The Vietnam Computer Emergency Response Team (VNCERT) shall coordinate and support matters related to portals with potential personal information insecurity; coordinate in elaborating technical standards applicable to portals for personal information security assurance and protection; and assist state agencies in remedying personal information insecurity incidents on portals.

3. The Inspectorate of the Ministry of Information and Communications shall inspect and examine the implementation of this Circular and handle violations under law.

4. Information technology units of ministries, ministerial-level agencies, government-attached agencies and provincial-level Information and Communications Departments shall disseminate and guide the implementation of this Circular in their agencies and attached units.

Article 20. Effect

1. This Circular takes effect on January 1, 2011.

2. Any problems arising in the course of implementation should be promptly reported to the Ministry of Information and Communications for consideration and revision-