To strictly handle the illegal trading, transfer of personal data in the education sector in Vietnam

To strictly handle the illegal trading, transfer of personal data in the education sector in Vietnam (Internet image)

On August 22, 2024, the Ministry of Education and Training of Vietnam issued Official Dispatch 4567/BGDDT-CNTT regarding the enhancement of personal data protection and network information security in Vietnam.

To strictly handle the illegal trading, transfer of personal data in the education sector in Vietnam

To thoroughly implement and rigorously enforce the regulations of Decree 13/2023/ND-CP in relevant activities of the sector, the Ministry of Education and Training of Vietnam requests the departments of education and training, universities, academies, colleges, and pedagogical colleges (hereinafter referred to as units) to strengthen the review and implement the following tasks:

(1) Enhance the dissemination, propaganda, and thorough enforcement of the regulations of Decree 13/2023/ND-CP to units and individuals under their management, especially those directly involved in managing, exploiting, and processing personal data; organize legal education, communication, dissemination of knowledge, and skills for personal data protection compatible with students.

(2) Review internal regulations and policies regarding the management, operation, exploitation, and use of information systems/databases under the unit's management and its subordinate units to integrate the current legal regulations on personal data protection. This includes clearly defining the responsibility for personal data protection of related agencies, organizations, individuals; and handling the responsibility of organizations, individuals in case of violations of personal data protection regulations within their scope of responsibility.

Review units and departments involved in the collection and processing of personal data; classify collected and processed personal data; evaluate the process of collecting and processing personal data to issue or propose appropriate management measures and determine the corresponding protection responsibilities for each type of personal data in accordance with Decree 13/2023/ND-CP.

(3) Review the security and safety of the systems and implement necessary technical measures for the information systems/databases under their management; regularly inspect, maintain, and upgrade the systems to promptly detect and remedy technical loopholes to avoid the risk of insecurity, system safety, and loss of personal data.

For units utilizing services from enterprises for maintaining and operating information systems/databases, there should be a review to ensure the principle that the data under the unit's management must be under the unit's control; enterprises must not access the data (including personal data) without the unit's permission.

(4) In managing, exploiting, and using educational databases, disseminate the regulations in Circular 42/2021/TT-BGDDT stipulating educational and training databases to officials and public employees, and workers to study and implement.

Clearly stipulate the responsibilities for account protection, network information security, and personal data protection; pay special attention to account management access: do not share accounts, set passwords with necessary complexity (minimum length of 8 characters, including numbers, uppercase, lowercase, and special characters), and regularly change passwords (change password every 3 months at most).

(5) Upon discovering violations of personal data protection regulations (especially unauthorized sale and transfer of personal data), strict actions must be taken, and the violations must be reported to the specialized personal data protection agency (Cybersecurity and High-Tech Crime Prevention Department - Ministry of Public Security) and the Ministry of Education and Training (through the Information Technology Department) within 72 hours of the occurrence or detection of the violation according to Form No. 03 in the Appendix of Decree 13/2023/ND-CP.

More details can be found in Official Dispatch 4567/BGDDT-CNTT dated August 22, 2024.

>> CLICK HERE TO READ THIS ARTICLE IN VIETNAMESE