Vietnam: Privacy in Vietnam

Do Hai Ha¹ and Le Thu Hien²

The right to privacy has existed in Vietnam since 1946. Since its first Constitution, Vietnam has recognized people's right to be secure in their persons, residences, correspondence, and telephone and telegraph communications. The Constitution also guarantees people's right against unlawful searches and seizures. Nonetheless, the legal framework for privacy remains underdeveloped and in practice, privacy is not seen to be important.

Though privacy remains a novel concept in Vietnam, it has gradually come to the public's attention since "doi moi"³ with the arrival of foreign investors in the early 1990s. The purpose of this article is (i) to examine the right of privacy in employment relations and in some selected commercial situations under Vietnamese law, and in light of that, (ii) to suggest some recommendations from a business perspective.

This article does not discuss the privacy of organizations. It focuses on individual privacy -- ie, limited access to an individual.⁴ This article does not address matters involving the confidential business, information, and secrets.

Privacy under Vietnamese law

Right to privacy: general principles

In Vietnam, the right to privacy is guaranteed under the Constitution 1992, as amended in 2001 ("Constitution"). Article 71 of the Constitution provides that "citizens have the right to physical inviolability". Article 73 of the Constitution further states:

Article 38 of the Civil Code 2005 ("Civil Code") sets a broader and more clearly defined right to privacy:

1. The right to secrets of the private life of an individual shall be respected and protected by law.
2. Any collection [and] publication of information [and] materials that relate to the private life of an individual are subject to the consent of that individual; [or] if that individual has died, or loses the capacity for civil acts, or is under 15 years of age, subject to his consent⁵ or his parent, [or] spouse, [or] adult child or representative's consent, except for collection [and] publication of information [and] materials that are required under decisions by competent [state] authorities and entities.
3. The confidentiality and safety of citizens' correspondence, telephones and telegraph communications are guaranteed. Any check of correspondences, telephone and telegraph communications shall be done as regulated by law [and then, only] upon decisions of competent state authorities.

As you can see, the right to privacy is rather broadly recognized and protected by law. Apart from general principles, however, there is no single consolidated law. The right to privacy is granted in a number of different laws. The laws that apply depend on the nature of the matter. For example, employment-related privacy is subject to the Labor Code 1994, as amended in 2002, 2006 and 2007 ("Labor Code"), and its supporting regulations. Likewise, healthcare-related privacy rules appear in laws that relate to healthcare.

Notwithstanding all of this, the concept of privacy is new in Vietnam and has not yet been generally defined by society. There is no public debate to help delineate the nature and the limits of the right to privacy. It remains conceptual. In the meantime, although the law is at most general in nature, the public is aware of the right and seeks to require that it be recognized and respected. However, except for some very specific rules which we discuss, institutions remain relatively unfettered to decide what information may be requested and how it is treated after it has been obtained.

Below we look at the right to privacy in employment relations and in certain commercial situations.

Privacy in employment relations

In this section, we address several questions that involve privacy in employment, and we look at certain related concerns which frequently arise.

• Disclosure of private information as a condition of employment

Labor laws allow an employer to require a job applicant to disclose various kinds of private information. In particular, the law requires a job applicant to submit to his prospective employer a job application, which includes: a standard application form⁶; a copy of his labor book or curriculum vitae⁷; copies of degrees or certificates required for the position; and a health examination certificate.⁸ Where the applicant is a foreign employee, a job application file must contain a judicial record.⁹ In addition, a job applicant must disclose a wide range of private information, including personal details (name, gender, date of birth, passport/identification card number, address, etc.), training background, employment history, judicial history (in case of a foreign applicant) and family information (in case of a Vietnamese applicant).¹⁰

In the case of a Vietnamese applicant, the law permits an employer to require additional documents "where a job has special requirements".¹¹ With such general language, in reality, an employer may request other very broad additional private information. It is not clear whether this regulation also applies to foreign employees. Of note, pursuant to Article 8.1 of the Labor Code, "[a]n employer has the right to hire, assign, arrange and manage employees in accordance with its manufacturing and business requirements". This language might be interpreted to mean that employers have the right to determine recruitment and employment criteria, and therefore employees (including expatriates) may be requested to provide certain private information.

An employer can also ask its employees to update personal information during the course of their employment. The law generally requires each employee to have a labor book which is issued by the local Department of Labor, War Invalids and Social Affairs ("DOLISA") and which records detailed information about the employee, such as salary, position, additional professional qualifications, and work experience.¹² During the period of employment, an employee's labor book is maintained and kept current and accurate by the employer.¹³ The employer is required to designate a person who is responsible to keep and to record accurate information in the labor books.¹⁴ The labor book is returned to the employee when the employment is terminated.¹⁵

However, regulations on labor books only apply to Vietnamese employees.¹⁶ The question that then arises is whether an employer has the right to request its expatriates to update their private information during employment. No provision of law specifically addresses the question. Nevertheless, an employer may argue that such updates enable it to "manage employees in accordance with its manufacturing and business requirements". In contrast to the language regulating labor books, the rules on health checks clearly apply to both Vietnamese and expatriate employees. Article 102 of the Labor Code states that "[e]mployees' health shall be checked upon recruitment and periodically as required by law [and] costs for such health check shall be borne by the employer".

There is one clear exception to the requirement of disclosure of health-related information. An employer may not require an employee to have an HIV/AIDS test as a condition of employment, unless the employee works in airplane cabins or in a special position that relates to national defense and security.¹⁷

• Use of an employee-related database owned by an employer, by persons both within and outside of the enterprise

As discussed above, private information of an individual may be collected and disclosed only with the consent of that individual (or of a relative or guardian acting in his place)¹⁸ or the decision of a competent state authority.¹⁹ The question is then: is it necessary for an employer to request permission when private employee information is used within an organization?

Although there are no regulations that deal specifically with this issue, the law seems to permit an employer to use such information without its employees' consent in certain cases. According to Circular 10 and Circular 18, labor books must be maintained and updated to serve as (i) a tool for the State's management of labor and (ii) a basis for the employer's human resources ("HR") decisions. This implies that the employer may use private information contained in the labor book of an employee for internal HR matters, such as performance assessment, salary review, promotion, transfer and termination, or as requested by State administrative agencies such as tax or labor authorities.

Although the law does not resolve whether private employee information can be used by an employer for purposes outside of employment -- for example, to sell, or share such data with marketing companies -- such a use is not yet widely practiced and, if known, would probably receive a negative public response.

Although management may have a limited right to access and use employees' private information, the answers are even less clear for departments/individuals within a company. There is simply neither legal guidance nor legal requirements in place. From the standpoint of public perception, without any legal framework, it would probably be seen that management at the top level, and the human resources and accounting departments of a company, may have access to an employee's private information, provided that such access is necessary for purposes of internal management or State administration. Nonetheless, and even if one argues that some access is permitted, it is not settled whether other departments/individuals also have such a right.

It is also unclear whether a company may share HR data with its affiliated companies (ie, parent company, subsidiaries or sister companies) and whether, for example, it may engage a third party provider to establish, administer, maintain, and store its HR data.

The point here and elsewhere is not necessarily that a practice is impermissible; the point is that it is simply not regulated. For that reason, prudence and care should be exercised.

• Privacy in the workplace

There are privacy issues within the work place. An employer may wish to search employees at the entries and exits of the premises or may want to conduct electronic surveillance within the workplace. Does an employer have the right to do so? Again, the law does not address the matter in any detail.

In general, an employer may install and use electronic surveillance equipment on its premises. The accepted rule is that, as the owner of the premises, the employer is entitled to install and use such equipment. Further, the law authorizes the employer to manage its employees in accordance with its manufacturing and business requirements. Finally, the perception is that the workplace is not a place intended for private purposes.

However, there are a number of caveats. An employer is forbidden to strip-search employees. Besides, some areas within a premise, such as changing rooms or rest rooms, are generally expected to be private. The use of any electronic surveillance equipment in such areas would be deemed to violate the right to privacy.

To take the issue a step further, it is an open question whether the employer can use electronic surveillance devices without notice in advance to its employees.

Is an employer obliged to obtain an employee's permission before it enters a computer, desk or locker owned by the employer but used by the employee for business purposes? Similarly, may an employer, without its employees' consent, install surveillance measures to ensure that its telecommunication equipment (eg, telephones or computers) are used for designated purposes? There is no clear answer to these questions under Vietnamese law. On the one hand, the answer seems to be "no" for two reasons: (i) the employer, not its employees, owns the items/equipment; and (ii) the items/equipment are to be used for business purposes only. On the other hand, the law does not permit ownership rights to a property, including rights of the employer in the workplace, to "adversely impact ... the lawful rights ... of other persons" ²⁰, including the right to privacy. Besides, it seems inevitable that such items/equipment will also be used for personal purposes, and thus, that an employer is required to obtain the employee's permission.

Even if an employer is permitted to access a computer, desk or locker used by an employee or to control an employee's use of telecommunications equipment, it may be prohibited from storing and/or disclosing the employee's private information or materials which it discovers. As discussed above, private information of an individual may be collected and disclosed only upon the consent of that individual or the decision of a competent state authority. Moreover, the law only allows authorized persons to open, check and hold individual correspondence and telegraph communications in accordance with law.

Privacy in commercial situations

• Banking

Regulations on privacy in banking activities are relatively extensive. The law forbids credit institutions and their officers/employees from disclosing information that relates to customers' deposits or assets. Under Article 17.3 of the Law on Credit Institutions 1997, as amended in 2004 ("Law on Credit Institutions"), a credit institution is required not to disclose any details that relate to its customers' bank balances and to refuse a third party's request to disclose customers' deposits without the depositors' consent . Article 104.2 of the Law also states:

There are a few exceptions to the non-disclosure requirement: where disclosure is (i) agreed by a customer (agreement by telephone is not adequate), or (ii) requested by competent state authorities, or (iii) necessary for a bank's internal activities, or (iv) requested by another bank. Banks are required to formulate internal regulations on their disclosure of customers' information.²¹ Of note, any provision of customer information must be recorded in minutes by the providing bank.²² The law also requires that documents that relate to provision or receipt of customer information must be stored and maintained in accordance with regulations on protection of state secrets.²³

In some circumstances, the law imposes a disclosure requirement upon bank customers. Pursuant to Article 56.2 of the Law on Credit Institutions, a borrower is obliged "to provide full information and documents relating to a loan and to be responsible for the accuracy of such information and documents". Similarly, a beneficiary of a guarantee must provide full information and documents as may be requested by the guarantor and that relate to the guarantee.²⁴

• Healthcare

There are some very specific rules relative to private healthcare information. The law requires doctors to keep confidential, information that relates to a disease or to the private life of patients if such information is learned while acting in a professional capacity.²⁵ In the case of a birth that occurs through the aid of science, medical workers must keep confidential the name, age, address and image of persons who donate or receive embryos or sperm.²⁶ Article 33.3 of the Law on Prevention and Protection of Infectious Diseases 2007 also provides that doctors and medical workers must keep confidential all information that relates to patients who have infectious diseases.

The law does not specifically require a healthcare entity (eg, a clinic or hospital) to keep information about its patients confidential. Despite that, in light of Article 38 of the Civil Code set forth above, and considering such a requirement in respect of doctors and medical workers, it is believed that healthcare entities also have an obligation to protect their patients' private information. In some cases, however, a healthcare entity must disclose information about its patients if it is required by a state agency.²⁷

Special rules protect HIV/AIDS-infected patients. According to the Law on HIV/AIDS Prevention 2006, an HIV/AIDS-infected patient has the right to keep information about his HIV/AIDS status confidential. Additionally, the Law generally prohibits disclosure of the name, address, image or status of an HIV/AIDS-infected patient without his consent. This prohibition applies to all individuals and entities, including healthcare entities, doctors and medical workers.

Notwithstanding the existence of some privacy regulations that relate to healthcare services, certain gaps remain. Is a healthcare entity liable for a breach of a patient's privacy by a doctor or medical worker employed by that entity? If yes, to what extent is the healthcare entity liable? May private information about a patient be stored, used and transferred within a healthcare entity and, if so, to what extent? Who may have access to a patient or his private information during a medical examination and/or treatment?

• Insurance business

There are some specific regulations that relate to privacy in the insurance business. Upon entering into an insurance policy, the policy owner has an obligation to declare fully and truthfully all information that relates to the insurance policy, including information on the object being insured, as requested by the insurer.²⁸ This means that an insurer may require a purchaser of insurance to disclose certain private information about that purchaser, even where the insured is an individual. Of note, if a purchaser of insurance intentionally provides false information in order to enter into an insurance contract or to be paid insurance proceeds or to be indemnified, the insurer has the right unilaterally to terminate the performance of the contract and to collect insurance premiums up to the time of termination.²⁹ The insurer may also claim contractual damages,³⁰ including the proceeds of the policy that have already been paid.

It appears that the disclosure requirement imposed upon a purchaser of insurance also applies during the period of performance of the insurance contract. According to Article 18.2 of the Law on Insurance Business 2000, a purchaser of an insurance contract must "notify circumstances which may increase the risks or which may result in additional liability on the part of the insurer during the period of implementation of the insurance contract, as requested by the insurer". A breach of this obligation by a purchaser of an insurance contract also permits the insurer to terminate the insurance contract unilaterally.³¹ The shape and extent of this obligation remains to be defined. For example, must a person who has health insurance inform the insurance company if he is diagnosed with a serious disease and then risk termination or non-renewal of the policy?

The law also provides that an insurance company must keep confidential all information provided by the insured.³² That would include private information provided in the application, such as information that relates to the insured's health as contained in a doctor's report or volunteered by the applicant. This requirement extends to insurance brokers and insurance agents.³³

• Online business

An organization which engages in online business is subject to several privacy regulations. In general, organizations/individuals that collect, process or use a person's private information on the internet must obtain the consent of that person.³⁴ Still, there are some exceptions to this rule. For example, there is no need for consent where such private information is used (i) to sign, revise or execute contracts for use of information, products or services on the internet, or (ii) to price or calculate charges for use of information, products or services on the internet, or (iii) to perform an obligation in accordance with law.³⁵

The Law on Information Technology 2006 imposes many obligations on organizations/individuals that collect, process or use private and personal information on the internet. Specifically, they must notify that person of the form, scope, place and purpose of the collection, processing and use of this private information, and use the collected private information only for proper purposes.³⁶ In addition, the law requires them to ensure that the private information will not be lost, stolen, disclosed, modified or destroyed.³⁷ These organizations/individuals are also obliged immediately to take necessary measures when a person requests that his private information be confirmed, corrected or deleted.³⁸

There are some restrictions on the collection, processing and use of private information on the internet. Private information about a person is not allowed to be transferred to a third party without permission of that person.³⁹ Besides, such information can be stored only for a particular period of time as provided by law or as agreed between the parties.⁴⁰ Currently, the law does not set out any such period of time.

Vietnam's Ministry of Industry and Trade has adopted new regulations relative to consumers' online privacy.⁴¹ Under these regulations, a commercial website owner must inform visitors to its home page of its policy on confidentiality. Moreover, a request for consent to use private data must give the visitor the ability either to give or withhold consent. Importantly, the website is prohibited from using any mechanism by which consumers are deemed to provide consent by default.

• Trading activities

The Ordinance on Protection of Consumers' Rights 1999 does not provide for protection of consumers' privacy. Of course, general principles set out in the Constitution and the Civil Code apply to the extent that they can fill the legal vacuum. That is to say, a company can collect and publicize information that relates to the private life of an individual only if it has obtained the consent of that individual.

Still, many issues remain open. Can a company sell information on its consumers to another party without the prior consent of the consumers? Given Article 38 of the Civil Code, the answer would be "no", if such information relates to the private life of a consumer. However, this concerns a very basic, conceptual question: what information relates to the private life of a consumer? Particularly, can information on consumers' product preferences observed by a company, such as observation of supermarket or credit card transactions, be regarded as private information?

Can a company (eg, a supermarket or credit card company) require a consumer to disclose his private information as a condition of the sale of products or provision of services? If so, to what extent is it entitled to gather private information about its consumers? May a company share customer data with its affiliated companies without the consent of the consumers? Is it permitted to hire a third party provider to establish, administer, maintain, and store consumer data? Can a company use private information on a consumer to market other products or services? Does a consumer have the right to request examination, correction or deletion of his private information in the consumer database of a company?

Unfortunately, the law does not address any of the foregoing questions.

Recommendations

This brief review makes it clear that Vietnamese law sets forth only general principles to protect the right of privacy. There is very little detail. This reflects the fact that the right of privacy is not yet highly developed -- except in the few cases where the law is clear and specific enough. Where a right of privacy seems to exist but where it is not yet well defined, there is a risk for business and professionals that the broad language of the law will provide scope for a party to claim breach of the protection of privacy. Following are some recommendations to respect privacy but to provide some protection against such claims.

As for employment relations, it is worthwhile to establish an internal policy framework to deal with private employee information. Rules on gathering, storage and use of such information should be well-defined, widely-available and enforced. Further, such rules should be designed in such a way that indicates that employee private information will be stored in a confidential manner, and will be used only for designated purposes. Importantly, those rules should be incorporated into the company's internal labor rules and registered with the labor authority. The internal labor rules may include a clause that requires employees to disclose certain private information to the employer and ensure that such information is updated and remains accurate. This will help to support the employer in the case where a breach is alleged by an employee.

Some proactive steps should be taken. For instance, it should be made clear to employees that there should be no expectation of privacy at the workplace, and the employer reserves the right to have access to employee workrooms, workplace computers/telephones, and so on at any time without notice/consent in advance. Upon handing over any equipment to an employee, the employer should advise the employee that the equipment is company property, which should be used only for work-related activities. Of course, in recognition that private business must sometimes be conducted during working hours, reasonable rules or guidelines on the use of such equipment for private communication should be promulgated.

In case an employer wishes to use electronic surveillance/search equipment or to control an employee's use of telecommunications equipment, perhaps advance notice by the employer is sufficient. Nevertheless, it should be reiterated that in all cases, strip-search and surveillance in private areas within the workplace (eg, changing rooms or rest rooms) are clearly prohibited, even if employees have so agreed. Given the imbalance of positions between the employer and the employee, the tradition of labor protection and the nature of Vietnamese culture, there is a clear risk that even with an employee's agreement, such acquiescence will be held to be invalid on the ground that it is contrary to social morals.⁴²

As the law is not clear, the employer might obtain prior consent of employees to the storage, use, publication or sharing of their private information. This consent can be expressed in a labor contract or an agreement separate from such a contract. The question is whether the employer may obtain consent or at least acknowledgement from employees as a condition of employment. In fact, the law neither explicitly prohibits nor allows such practice. The law permits an employer to terminate employment only in cases set forth by law.

The employer should also require an employee to read company privacy rules, and sign a document declaring that he is aware of and commits to comply with these rules.

Additionally, it is advisable to post privacy rules, or at least their main points, in such places that all people can see.

All said, the employer should, even in the exercise of its rights and prerogatives, show restraint, good judgment, and regard for the employee.

In commercial situations, it is good practice to obtain permission of the person whose private information is intended to be collected, stored, used or shared with a third party, unless the law allows business entities and professionals to do so. It would be advisable for a business or professional entity to create clear privacy policies for the collection, storage, use and sharing of their information. To the extent the law is vague, such policies could give the private person (a patient, insured, consumer or client, etc.) the right to prevent, or "opt out" of, certain collection, storage, use and sharing of his private information. In the spheres in which the law is well-defined, such as banking or online business, strict compliance with legal regulations is important.

Conclusion

Privacy is an area that is very new both in Vietnamese society and in Vietnamese law. As discussed, except for a few spheres, the legal framework for privacy is generally insufficient and underdeveloped. This may pose risks for business and professionals for the reason that broad language of the law may result in more chances for privacy claims. Business and professionals should, therefore, treat private information with care. Suggestions to deal with privacy problems at this point are preliminary. The concept of privacy is new and developing. The law can be expected to continue to lag behind the development of this right.

1. Do Hai Ha, LLB (Hanoi University of Law), LLM (University of Melbourne), is an associate at Russin & Vecchi. His primary area of practice is Vietnamese labor law. He has also been a lecturer in labor law at the Ho Chi Minh City University of Law since 2002.

2. Le Thu Hien, BA, LLB (Phuong Dong University), is an associate at Russin & Vecchi. Her practice focuses on commercial and foreign investment issues.

3. Doi moi (renovation) is a socio-economic development strategy which was introduced at the Sixth Congress of the Communist Party of Vietnam in 1986. It implies two crucial policy changes, namely: (i) a transformation from a centrally planned economy towards a market driven economy and (ii) an opening up of the economy to international trade and foreign investment

4. Ferdinand Schoeman, "Privacy: Philosophical dimension of the literature" in Ferdinand Schoeman (ed), Philosophical Dimensions of Privacy: an Anthology (Cambridge University Press, 1984) 1, 3–4. v

5. In this article, any use of one gender, unless otherwise indicated, includes both genders and use of the singular or the plural, in context, includes the other.

6. Standard job application forms are issued by the Ministry of Labor, War Invalids and Social Affairs ("MOLISA") in conjunction with Circular No. 20/2003/TT-BLDTBXH dated September 22, 2003 ("Circular 20") and Circular No. 08/2008/TT-BLDTBXH dated June 10, 2008 ("Circular 08").

7. Forms to record one's curriculum vitae are issued by the MOLISA in conjunction with Circular 20 (in respect of Vietnamese employees) and Circular 08 (in respect of foreign employees).

8. In cases where the employee is a Vietnamese citizen, see: Decree No. 39/2003/ND-CP of the Government dated April 18, 2003 ("Decree 39"), art. 8; Circular 20, § II.2. Where the employee is a foreigner, see: Decree No. 34/2008/ND-CP of the Government dated March 25, 2008 ("Decree 34"), art. 4; Circular 08, § II.1.

9. Decree 34, art. 4; Circular 08, § II.1.

10. See: Circular 20, annexes 1, 2; Circular 08, annexes 1, 2.

11. Circular 20, § II.2.

12. Labor Code, arts. 182–83; Decree 39, art. 9; Circular No. 18/LDTBXH-TT of the MOLISA dated May 31, 1994 ("Circular 18"), § II; Circular No. 10/LDTBXH-TT of the MOLISA dated May 22, 1996 ("Circular 10"), § I, II.

13. Circular 18, § II; Circular 10, § II.

14. Ibid.

15. Ibid.

16. Circular 10, § I.

17. Law on HIV/AIDS Prevention 2006, art. 14.2(d); Decree No. 108/2007/ND-CP of the Government dated June 26, 2007, art. 20.1.

18. In this article, we will assume this exception and we will not mention it each time.

19. There is no specific definition of a "competent state authority". The identity of such authorities will depend on the nature and scope of the matter. It may include administrative state agencies that manage a matter, police, courts and others who, by law, are authorized to deal with a matter.

20. Civil Code, art. 165.

21. Law on Credit Institutions, arts. 102–4; Decree No. 70/2000/ND-CP of the Government dated November 21, 2000, arts. 5–6; Circular No. 02/2001/TT-NHNN of the State Bank of Vietnam dated April 4, 2001, as amended by Decision 1004/2001/QD-NHNN of the State Bank of Vietnam dated August 8, 2001 ("Circular 02"), § II.

22. Circular 02, § II.3.2.

23. Ibid, § II.4.

24. Law on Credit Institutions, art. 60.1.

25. Law on Protection of People's Health 1989, art. 25.1.

26. Decree No. 12/2003/ND-CP of the Government dated February 12, 2003, art. 10.6.

27. See: Law on Prevention and Protection of Infectious Diseases 2007, arts. 23.3 and 32.5; Ordinance on Practice of Private Medicine and Pharmacy 2003, art. 18.2.

28. Civil Code, art. 573.1; Law on Insurance Business 2000, arts. 18.2 and 19.1.

29. Civil Code, art. 573.2; Law on Insurance Business 2000, art. 19.2.

30. See Civil Code, art. 426.4.

31. Law on Insurance Business 2000, art. 19.2.

32. Ibid, art. 19.1.

33. Decree 45/2007/ND-CP of the Government dated March 27, 2007, art. 18.3.

34. Law on Information Technology 2008, art. 21.1.

35. Ibid, art. 21.3.

36. Ibid, art. 21.2.

37. Ibid.

38. Ibid.

39. Ibid, art. 22.2.

40. Ibid, art. 21.2.

41. See: Circular No. 09/2008/TT-BCT of the Ministry of Industry and Trade dated July 21, 2008.

42. See: Civil Code, art. 122.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.