This information is outlined in a draft decree detailing aspects of the Personal Data Protection Law, drafted by the Ministry of Public Security, which is currently open for public comment.
The decree dedicates two articles to defining basic and sensitive personal data. The list of sensitive data is expanded and more specific than current regulations, encompassing information on racial origin, political views, private life, health, social media activity, and more. The Ministry of Public Security believes this clear categorization will clarify responsibilities and enhance privacy protection.
Basic personal data is defined as data reflecting common personal factors and background information frequently used in transactions and social interactions.
Sensitive personal data is defined as data closely tied to an individual's privacy. Unauthorized access to this data can directly affect the legitimate rights and interests of agencies, organizations, and individuals. Therefore, it requires restricted access permissions, stringent processing procedures, and robust security measures.
The draft decree details 13 categories of sensitive personal data: racial and ethnic origin; political, religious, and belief systems; private life; health status; biometrics and genetic characteristics; data revealing sexual life and orientation; location data from positioning services; bank card information and transaction history; financial and credit information; and more.
=>> See details of the 13 sensitive personal data categories
 |
Hacker forums openly trade personal data. Photo: Pham Du |
Tightening personal data protection in finance and banking
Article 8 of the draft decree proposes a stricter legal framework for the financial, banking, and credit information sectors, which frequently handle sensitive personal data.
The Ministry of Public Security proposes that organizations and individuals storing or using data must notify the data subject within 72 hours of discovering a leak or loss of bank account, financial, or credit information. This is a new provision, as the current regulation in Decree 13/2023 lacks a specific timeframe, potentially leading to delayed notifications and increased risk for customers.
The draft also proposes that organizations and individuals operating in finance, banking, and credit sectors are responsible for protecting personal data according to international data protection standards. They must also conduct annual data protection compliance assessments and log all personal data processing activities.
This is another new point, as the current Decree 13/2023 only requires "appropriate technical and management measures" without specifying standards or inspection timelines.
Furthermore, the draft clarifies the mechanism for obtaining customer consent. When collecting and processing personal data, organizations must list specific purposes, such as credit scoring and ranking, specify data sources and sharing parties, and disclose data retention periods, procedures for withdrawing consent, and data deletion policies.
Concerns about personal credit information theft arose recently when the National Cybersecurity Center (VNCERT) under A05, Ministry of Public Security, announced signs of criminal activity targeting the Credit Information Center (CIC) on 10/9. Many hope that stricter regulations on personal data protection in the financial and banking sectors will enhance the security of personal information.
Bank account balances openly traded on the black market
The Personal Data Protection Law, passed by the National Assembly on 26/6 and effective from 1/1/2026, is Vietnam's first law on personal data protection. Previously, this area was only covered by Decree 13/2023.
Compared to the old regulations, the law adds three prohibited acts: using another person's personal data or allowing others to use one's own data for illegal activities; buying or selling personal data; and misappropriating, intentionally disclosing, or losing personal data.
 |
Groups trading data and bank accounts on Telegram. Photo: Trong Dat |
In its report to the government, the Ministry of Public Security stated that personal data is a key component of digital transformation, digital economic development, and the construction of a digital society. However, personal data breaches remain frequent in cyberspace.
Service businesses collect customer data and then allow third-party partners access without strict regulations, leading to data trafficking. Many businesses actively collect customer data to create databases for analysis, processing, and sale, trading both raw and processed data.
The Ministry of Public Security has found that highly detailed personal and organizational information is being traded. This includes full names, birth dates, citizen identification numbers, addresses, phone numbers, bank accounts (including balances), family members, positions, and workplaces. Trading groups even offer "guarantees" and the ability to update and extract data on demand.
Large amounts of data are openly sold for extended periods on social media platforms like Facebook, Zalo, Telegram, and hacker forums (raidforums.com). Criminals even use bank accounts for transactions, explicitly stating "data purchase" in the transaction details.
Practical experience in data protection shows that citizens' fundamental rights regarding personal data are not yet guaranteed. Citizens lack awareness of how to protect themselves, file complaints, or seek compensation when their rights and interests are violated. The personal data handling process also reveals many shortcomings.
Furthermore, biometric information, personal history, relationships, health status, and financial information are often publicly posted. Meanwhile, some officials lack awareness regarding the provision and management of personal records and data. The willingness to exchange private information for technological convenience is also a concern.
According to the draft decree, the Department of Cybersecurity and High-Tech Crime Prevention (A05, Ministry of Public Security) will be the agency responsible for personal data protection.
