Uploaded by gileenbmontefalco

Ease of Doing Business

Ease of Doing Business and Efficient
Government Service Delivery Act of 2018
Section 2. Declaration of Policy.
To promote integrity, accountability, proper
management of public affairs and public
property as well as to establish effective
practices, aimed at efficient turnaround of the
delivery of government services and the
prevention of graft and corruption in
Section 3. Coverage.
Applies to all government offices and agencies
including local government units (LGUs),
government-owned or controlled corporations and
other government instrumentalities, whether
located in the Philippines or abroad, that provide
services covering business and nonbusiness
related transactions as defined in this Act.
Section 4. Definition of Terms.
(a) Action refers to the written approval or
disapproval made by a government office or
agency on the application or request submitted by
an applicant or requesting party for processing;
(b) Business One Stop Shop (BOSS) – a single
common site or location, or a single online website
or portal designated for the Business Permit and
Licensing System (BPLS) of an LGU to receive
and process applications, receive payments, and
issue approved licenses, clearances, permits, or
(c) Business-related transactions – a set of
regulatory requirements that a business entity
must comply with to engage, operate or continue
to operate a business, such as, but not limited to,
collection or preparation of a number of
documents, submission to national and local
government authorities, approval of application
submitted, and receipt of a formal certificate or
certificates, permits, licenses which include
primary and secondary, clearances and such
similar authorization or documents which confer
eligibility to operate or continue to operate as a
legitimate business;
(d) Complex transactions – applications or
requests submitted by applicants or requesting
parties of a government office which necessitate
evaluation in the resolution of complicated issues
by an officer or employee of said government
office, such transactions to be determined by the
office concerned;
(e) Fixer – any individual whether or not officially
involved in the operation of a government office or
agency who has access to people working therein,
and whether or not in collusion with them,
facilitates speedy completion of transactions for
pecuniary gain or any other advantage or
(f) Government service – the process or
transaction between applicants or requesting
parties and government offices or agencies
involving applications for any privilege, right,
authorization, concession, of for any modification,
renewal or extension of the enumerated
applications or requests which are acted upon in
the ordinary course of business of the agency or
office concerned;
(g) Highly technical application – an application
which requires the use of technical knowledge,
specialized skills and/or training in the processing
and/or evaluation thereof;
(h) Nonbusiness
transactions –
government transactions not falling under Section
4 (c) of this Act;
(i) Officer or employee – a person employed in a
government office or agency required to perform
specific duties and responsibilities related to the
application or request submitted by an applicant or
requesting party for processing;
(j) Processing time – the time consumed by an
LGU or national government agency (NGA) from
the receipt of an application or request with
documents and payment of fees to the issuance
of certification or such similar documents
approving or disapproving an application or
(k) Red tape – any regulation, rule, or
administrative procedure or system that is
ineffective or detrimental in achieving its intended
objectives and, as a result, produces slow,
suboptimal, and undesirable social outcomes;
(l) Regulation – any legal instrument that gives
effect to a government policy intervention and
obligation, compliance to standards or payment of
any form of fee, levy, charge or any other statutory
and regulatory requirements necessary to carry
out activity; and
(m) Simple transactions – applications or requests
submitted by applicants or requesting parties of a
government office or agency which only require
ministerial actions on the part of the public officer
or employee, or that which present only
inconsequential issues for the resolution by an
officer or employee of said government.
Section 5. Reengineering of Systems and
All offices and agencies which provide
government services are hereby mandated to
regularly undertake cost compliance analysis,
time and motion studies, undergo evaluation and
improvement of their transaction systems and
procedures and reengineer the same if deemed
necessary to reduce bureaucratic red tape and
processing time.
Section 6. Citizen’s Charter.
All government agencies including departments,
bureaus, offices, instrumentalities, or governmentowned and/or –controlled corporations, or LGUs
shall set up their respective most current and
updated service standards to be known as the
Citizen’s Charter in the form of information
billboards which shall be posted at the main
entrance of offices or at the most conspicuous
place, in their respective websites and in the form
of published materials written either in English,
Filipino, or in the local dialect, that detail:
(a) A comprehensive and uniform checklist of
requirements for each type of application or
(b) The procedure to obtain a particular service;
(c) The person/s responsible for each step;
(d) The maximum time to conclude the process;
(e) The document/s to be presented by the
applicant or requesting party, if necessary;
(f) The amount of fees, if necessary; and
(g) The procedure for filing complaints.
Section 7. Zero-Contact Policy.
Except during the preliminary assessment of the
request and evaluation of sufficiency of submitted
requirements, no government officer or employee
shall have any contact, in any manner, unless
strictly necessary with any applicant or requesting
party concerning an application or request.
-notion na magpa-bayad
Section 8. Accountability of Heads of Offices and
The head of the office or agency shall be primarily
responsible for the implementation of this Act and
shall be held accountable to the public in
rendering fast, efficient, convenient and reliable
Sec. 21. Violations and Persons Liable.
(a) Refusal to accept application or request with
complete requirements being submitted by an
applicant or requesting party without due cause;
(b) Imposition of additional requirements other
than those listed in the Citizen’s Charter;
(c) Imposition of additional costs not reflected in
the Citizen’s Charter;
(d) Failure to give the applicant or requesting party
a written notice on the disapproval of an
application or request;
(e) Failure to render government services within
the prescribed processing time on any application
or request without due cause;
(f) Failure to attend to applicants or requesting
parties who are within the premises of the office or
agency concerned prior to the end of official
working hours and during lunch break;
(g) Failure or refusal to issue official receipts; and
REPUBLIC ACT NO. 10173 - Data Privacy Act of
(h) Fixing and/or collusion with fixers in
consideration of economic and/or other gain or
Declaration of Policy. – It is the policy of the State
to protect the fundamental human right of privacy,
of communication while ensuring free flow of
information to promote innovation and growth.
The State recognizes the vital role of information
and communications technology in nation-building
and its inherent obligation to ensure that personal
information in information and communications
systems in the government and in the private
sector are secured and protected.
Sec. 22. Penalties and Liabilities.
(a) First Offense: Administrative liability with
six (6) months suspension: Provided,
however, That in the case of fixing and/or
collusion with fixers under Section 21(h), the
penalty and liability under Section 22(b) of this
Act shall apply.
(b) Second Offense: Administrative liability and
criminal liability of dismissal from the service,
perpetual disqualification from holding public
office and forfeiture of retirement benefits and
imprisonment of one (1) year to six (6) years with
a fine of not less than Five hundred thousand
pesos (P500,000.00), but not more than Two
million pesos (P2,000,000.00).
Criminal liability shall also be incurred through the
commission of bribery, extortion, or when the
violation was done deliberately and maliciously to
solicit favor in cash or in kind. In such cases, the
pertinent provisions of the Revised Penal Code
and other special laws shall apply.
25. Immunity,
Respondent/Accused to be a Witness.
Any public official or employee or any person
having been charged with another offense under
this Act and who voluntarily gives information
pertaining to an investigation or who willingly
testifies therefore, shall be exempt from
prosecution in the case/s where his/her
information and testimony are given. The
discharge may be granted and directed by the
investigating body or court upon the application or
petition of any of the respondent/accusedinformant and before the termination of the
-to balance the rights of an individual (a
constitutional right) and recognizing the role of
information and communication
-protects individuals from unauthorized
processing of personal information that is:
1) private, not publicly available; and
2) identifiable, where the identity of the individual
is apparent either through direct attribution or
when put together through direct attribution or
when put together with other available
Consent of the data subject refers to any freely
given, specific, informed indication of will,
whereby the data subject agrees to the
collection and processing of personal
information about and/or relating to him or her.
Consent shall be evidenced by in written,
electronic or recorded means. It may also be
given on behalf of the data subject by an agent
specifically authorized by the data subject to
do so.
Data subject refers to an individual whose
personal information is processed.
Personal information refers to any information
whether recorded in a material form or not,
from which the identity of an individual is
apparent or can be reasonably and directly
ascertained by the entity holding the
information, or when put together with other
information would directly and certainly
identify an individual.
Personal information controller refers to a person
or organization who controls the collection,
holding, processing or use of personal
information, including a person or organization
who instructs another person or organization to
collect, hold, process, use, transfer or disclose
personal information on his or her behalf. The term
(1) A person or organization who performs such
functions as instructed by another person or
organization; and
(2) An individual who collects, holds, processes or
uses personal information in connection with the
individual’s personal, family or household affairs.
Personal information processor refers to any
natural or juridical person qualified to act as
such under this Act to whom a personal
information controller may outsource the
processing of personal data pertaining to a data
Processing refers to any operation or any set of
operations performed upon personal information
including, but not limited to, the collection,
recording, organization, storage, updating or
consolidation, blocking, erasure or destruction of
Privileged information refers to any and all forms
of data which under the Rules of Court and other
Sensitive personal information refers to personal
(1) About an individual’s race, ethnic origin, marital
status, age, color, and religious, philosophical or
political affiliations;
(2) About an individual’s health, education,
genetic or sexual life of a person, or to any
proceeding for any offense committed or alleged
to have been committed by such person, the
disposal of such proceedings, or the sentence of
any court in such proceedings;
(3) Issued by government agencies peculiar to an
individual which includes, but not limited to, social
security numbers, previous or current health
records, licenses or its denials, suspension or
revocation, and tax returns; and
(4) Specifically established by an executive order
or an act of Congress to be kept classified.
Scope of Application
This Act does not apply to the following:
(a) Information about any individual who is or was
an officer or employee of a government institution
that relates to the position or functions of the
individual, including:
(1) The fact that the individual is or was an officer
or employee of the government institution;
(2) The title, business address and office
telephone number of the individual;
(3) The classification, salary range and
responsibilities of the position held by the
individual; and
(4) The name of the individual on a document
prepared by the individual in the course of
employment with the government;
(b) Information about an individual who is or was
performing service under contract for a
government institution that relates to the services
performed, including the terms of the contract, and
the name of the individual given in the course of
the performance of those services;
(c) Information relating to any discretionary benefit
of a financial nature such as the granting of a
license or permit given by the government to an
individual, including the name of the individual and
the exact nature of the benefit;
Personal information
processed for
journalistic, artistic, literary or research purposes;
(e) Information necessary in order to carry out the
functions of public authority which includes the
processing of personal data for the performance
by the independent, central monetary authority
and law enforcement and regulatory agencies of
their constitutionally and statutorily mandated
functions. Nothing in this Act shall be
construed as to have amended or repealed
Republic Act No. 1405, otherwise known as the
Secrecy of Bank Deposits Act; Republic Act No.
6426, otherwise known as the Foreign Currency
Deposit Act; and Republic Act No. 9510,
otherwise known as the Credit Information
System Act (CISA);
(f) Information necessary for banks and other
financial institutions under the jurisdiction of the
independent, central monetary authority or
Bangko Sentral ng Pilipinas to comply with
Republic Act No. 9510, and Republic Act No.
9160, as amended, otherwise known as the AntiMoney Laundering Act and other applicable laws;
(g) Personal information originally collected from
residents of foreign jurisdictions in accordance
with the laws of those foreign jurisdictions,
including any applicable data privacy laws, which
is being processed in the Philippines.
SEC. 5. Protection Afforded to Journalists and
Their Sources.
Publishers, editors or duly accredited reporters of
any newspaper, magazine or periodical of general
circulation are still protected from being
compelled to reveal the source of any news report
or information appearing in said publication which
was related in any confidence to such publisher,
editor, or reporter.
SEC. 6. Extraterritorial Application. – This Act
applies to an act done or practice engaged in and
outside of the Philippines by an entity if:
(a) The act, practice or processing relates to
personal information about a Philippine citizen or
a resident;
(b) The entity has a link with the Philippines, and
the entity is processing personal information in the
Philippines or even if the processing is outside the
Philippines as long as it is about Philippine citizens
or residents such as, but not limited to, the
(1) A contract is entered in the Philippines;
(2) A juridical entity unincorporated in the
Philippines but has central management and
control in the country; and
(3) An entity that has a branch, agency, office
or subsidiary in the Philippines and the
parent or affiliate of the Philippine entity has
access to personal information; and
(c) The entity has other links in the Philippines
such as, but not limited to:
(1) The entity carries on business in the
Philippines; and
(2) The personal information was collected or
held by an entity in the Philippines.
-an independent body mandated by this Act to
administer and implement the provisions of this
Act, and to monitor and ensure compliance of the
country with international standards set for data
-protects individual personal information and
upholds the right to privacy by regulating the
processing of personal information.
Data Privacy Principles
-requires that the purpose for processing a
person’s data should be determined and
disclosed before its collection or as soon
as practicable
-data subject must be aware of the
purpose; risks must be known
-requires that the collection and
processing of information must also be
compatible with a declared and specified
purpose, which must not be contrary to
law, morals, or public policy
-requires that the processing of personal
information must be relevant to, and must
not exceed, the declared purpose
-requires that personal data should be
accurate and kept up to date. It also
requires that inaccurate or incomplete data
be rectified, supplemented, destroyed, or
Processing of Personal Data
SEC. 12. Criteria for Lawful Processing of
Personal Information. – The processing of
personal information shall be permitted only if not
otherwise prohibited by law, and when at least
one of the following conditions exists:
(a) The data subject has given his or her consent;
(b) The processing of personal information is
necessary and is related to the fulfillment of a
contract with the data subject or in order to take
steps at the request of the data subject prior to
entering into a contract;
(c) The processing is necessary for compliance
with a legal obligation to which the personal
information controller is subject;
(d) The processing is necessary to protect
vitally important interests of the data subject,
including life and health;
(e) The processing is necessary in order to
respond to national emergency, to comply with
the requirements of public order and safety, or to
fulfill functions of public authority which
necessarily includes the processing of personal
data for the fulfillment of its mandate; or
(f) The processing is necessary for the purposes
of the legitimate interests pursued by the
personal information controller or by a third party
or parties to whom the data is disclosed, except
where such interests are overridden by
fundamental rights and freedoms of the data
subject which require protection under the
Philippine Constitution.
SEC. 14. Subcontract of Personal Information. –
A personal information controller may subcontract
information: Provided, That
information controller shall be responsible for
ensuring that proper safeguards are in place to
ensure the confidentiality of the personal
information processed, prevent its use for
unauthorized purposes, and generally, comply
with the requirements of this Act and other laws
for processing of personal information.
Rights of Data Subject
SEC. 16. Rights of the Data Subject. – The data
subject is entitled to:
(a) Be informed whether personal information
pertaining to him or her shall be, are being or have
been processed;
(b) Be furnished the information indicated
hereunder before the entry of his or her personal
information into the processing system of the
personal information controller, or at the next
practical opportunity:
(1) Description of the personal information to
be entered into the system;
(2) Purposes for which they are being or are
to be processed;
(3) Scope and method of the personal
information processing;
(4) The recipients or classes of recipients to
whom they are or may be disclosed;
(5) Methods utilized for automated access, if
the same is allowed by the data subject, and the
extent to which such access is authorized;
(6) The identity and contact details of the
personal information controller or its
(7) The period for which the information will be
stored; and
(8) The existence of their rights, i.e., to access,
correction, as well as the right to lodge a complaint
before the Commission.
To be informed
To object
To access
To rectification
To erasure or blocking
incomplete, false, outdated, for illegal
purpose, purpose is done
 To damages
Rights are violated
 To data portability
obtain a copy of data undergoing
Data Breach Notification
a. The Commission shall be notified within
seventy-two (72) hours upon knowledge of
or the reasonable belief by the personal
information processor that a personal data
breach has occurred.
b. Notification of personal data breach shall
be required when sensitive personal
information or any other information that
may be, under the circumstances, be used
to enable identity fraud are reasonably
believed to have been acquired by an
unauthorized person, and the personal
information controller or the Commission
acquisition is likely to give rise to a real risk
of serious harm to any affected data
c. Depending on the nature of the incident, or if
there is delay or failure to notify, the Commission
may investigate the circumstances surrounding
the personal data breach. Investigations may
include on-site examination of systems and
Outsourcing and Subcontracting Agreements
A separate provision in IRR
Subcontract of Personal Information. – A
subcontract the processing of personal data:
Provided, That the personal information
controller shall use contractual or other
reasonable means to ensure that proper
safeguards are in place, to ensure the
confidentiality, integrity, and availability of the
personal data processed, prevent its use for
unauthorized purposes, and generally, comply
with the requirements of this Act, these Rules,
other applicable laws for processing of
personal data, and other issuances of the
-both controller and subcontractor must comply
with the Act
Registration and Compliance Requirements
Who needs to register?
Companies with at least 250 employees or
access to the personal and identifiable
information of at least 1,000 people are
required to register with the National Privacy
Commission and comply with the Data Privacy
Act of 2012. Some of these companies are
already on their way to compliance – but many
more are unaware that they are even affected
by the law.
-Some are not required to register but they are
still required to comply with this Act
Compliance: *pag need mag register
-Appointing a Data Protection Officer
-Conducting a privacy impact assessment
-Creating a privacy impact assessment
management program
-Exercising a breach reporting procedure
imprisonment, fine and disqualification to
occupy public office:
a. Unauthorized processing of personal
information and personal sensitive
b. Accessing Personal Information and
Sensitive Personal Information Due to
c. Improper Disposal of Personal Information
and Sensitive Personal Information
d. Processing of Personal Information and
Sensitive Personal Information for
Unauthorized Purposes
e. Unauthorized Access or International
f. Concealment of Security Breaches
involving Sensitive Personal Information
g. Malicious Disclosure
h. Unauthorized Disclosure
Large-Scale. – The maximum penalty in the
scale of penalties respectively provided for the
preceding offenses shall be imposed when the
personal information of at least one hundred
(100) persons is harmed, affected or involved
as the result of the above mentioned actions.
-additional no. of years for imprisonment and
higher amount of fine