CCCD and CMND Numbers: Why Vietnam's Most Common ID Is Your Biggest Compliance Risk

Every company with employees in Vietnam has CCCD numbers in its systems. They are collected during hiring, referenced in payroll, attached to contracts, and copied into spreadsheets. Most companies have no idea how many copies exist, where they are, or who can access them.

Under Vietnam's PDPL (Law 91/2025/QH15) and Decree 356, Citizen Identity Card numbers — both the current CCCD and the legacy CMND format — are classified as sensitive personal data. Mishandling them is not just a policy gap. It is a regulatory exposure.

---

What Are CCCD and CMND Numbers?

The CCCD (Can cuoc cong dan — Citizen Identity Card) is Vietnam's primary national identification document, issued to all citizens from age 14. It contains a unique 12-digit identification number. The older CMND (Chung minh nhan dan — People's Identity Card) used a 9-digit format and is being phased out, but many records still reference CMND numbers.

Both formats are considered personal identification numbers under Decree 356 and are subject to the PDPL's protections for sensitive personal data.

---

Why CCCD Numbers Are High-Risk

CCCD numbers are uniquely identifying. Unlike names or phone numbers, a CCCD number maps one-to-one to a specific individual. Exposure of this number — combined with a name or other identifying information — can enable identity fraud, unauthorized account access, and other harms.

Under the PDPL, sensitive personal data requires heightened protection: stricter access controls, explicit consent for processing, and additional documentation requirements. A compliance breach involving sensitive data carries more regulatory weight than a breach involving non-sensitive categories.

---

How CCCD Numbers End Up in Google Workspace

The most common pathways are mundane. Nobody sets out to create a compliance problem — it happens through ordinary business processes.

HR Onboarding

New employees submit CCCD copies as part of hiring paperwork. These scans are often:

• Uploaded to a shared HR folder on Google Drive
• Emailed to HR staff as attachments
• Copied into onboarding checklists in Google Sheets

Payroll Processing

Payroll spreadsheets frequently include CCCD numbers alongside employee names, bank account numbers, and salary information. These files may be shared with accounting teams, outsourced payroll providers, or management — often with broad access permissions.

Contract Management

Labor contracts reference CCCD numbers by default. When contracts are stored as PDFs in Drive, the CCCD numbers are embedded in accessible documents that may be shared more broadly than intended.

Ad Hoc Requests

Government filings, insurance registrations, and tax submissions often require CCCD numbers. Employees may send their numbers via Gmail to whoever is handling the paperwork. These emails persist in mailboxes indefinitely.

---

What the PDPL Requires

For sensitive personal data like CCCD numbers, the PDPL and Decree 356 require:

Explicit consent. The data subject must specifically consent to the processing of their CCCD number for stated purposes. A general employment consent form may not be sufficient.

Purpose limitation. CCCD numbers must be collected and used only for specific, legitimate purposes. Retaining them in spreadsheets "for reference" beyond their original purpose violates this requirement.

Access restriction. Only individuals who need the CCCD number for their specific job function should have access. Shared Drive folders accessible to entire departments do not meet this standard.

Secure storage. CCCD data must be stored with appropriate technical safeguards. Unencrypted Google Sheets with no access controls do not qualify.

Deletion when no longer needed. Once the purpose for collecting the CCCD number has been fulfilled, the data should be deleted unless a legal retention requirement applies.

---

Practical Steps for Your Company

1. Find Every Copy

Run a scan of your Google Workspace to identify every file containing CCCD or CMND number patterns. This includes Drive documents, Sheets, email attachments, and Gmail message bodies. You cannot manage what you have not inventoried.

2. Consolidate and Restrict

Where possible, consolidate CCCD data into a single, access-controlled location rather than allowing copies to proliferate across Drive folders and email threads. Restrict access to the minimum number of people who genuinely need it.

3. Clean Up Historical Data

Review older files and emails for CCCD data that is no longer needed. Former employees' CCCD numbers should not remain in shared spreadsheets indefinitely. Establish a retention schedule and enforce it.

4. Strengthen Onboarding Processes

Update your HR onboarding workflow to avoid creating unnecessary copies of CCCD documents. If a scan is needed, ensure it goes to a restricted folder — not a shared team drive. Stop accepting CCCD copies via email.

5. Review Sharing Settings

For every file containing CCCD data, verify that sharing is limited to specific named individuals. Remove "Anyone with the link" and "Anyone in the organization" access. Disable downloading where possible.

---

Start With a Scan

The first step is knowing where CCCD data exists in your Google Workspace. Without that visibility, every other compliance measure is guesswork.

CompliScan identifies Vietnamese PII — including CCCD and CMND number patterns — across your entire Google Workspace. Our read-only scan covers Drive, Gmail, Sheets, and Docs, and delivers a detailed risk report within 48 hours. Request your free risk assessment →

---

This article is for informational purposes only and does not constitute legal advice. Consult a qualified attorney for advice specific to your company's situation.