REPUBLIC ACT No. 11032 Ease of Doing Business and Efficient Government Service Delivery Act of 2018 Section 2. Declaration of Policy. To promote integrity, accountability, proper management of public affairs and public property as well as to establish effective practices, aimed at efficient turnaround of the delivery of government services and the prevention of graft and corruption in government. Section 3. Coverage. Applies to all government offices and agencies including local government units (LGUs), government-owned or controlled corporations and other government instrumentalities, whether located in the Philippines or abroad, that provide services covering business and nonbusiness related transactions as defined in this Act. Section 4. Definition of Terms. (a) Action refers to the written approval or disapproval made by a government office or agency on the application or request submitted by an applicant or requesting party for processing; (b) Business One Stop Shop (BOSS) – a single common site or location, or a single online website or portal designated for the Business Permit and Licensing System (BPLS) of an LGU to receive and process applications, receive payments, and issue approved licenses, clearances, permits, or authorizations; (c) Business-related transactions – a set of regulatory requirements that a business entity must comply with to engage, operate or continue to operate a business, such as, but not limited to, collection or preparation of a number of documents, submission to national and local government authorities, approval of application submitted, and receipt of a formal certificate or certificates, permits, licenses which include primary and secondary, clearances and such similar authorization or documents which confer eligibility to operate or continue to operate as a legitimate business; (d) Complex transactions – applications or requests submitted by applicants or requesting parties of a government office which necessitate evaluation in the resolution of complicated issues by an officer or employee of said government office, such transactions to be determined by the office concerned; (e) Fixer – any individual whether or not officially involved in the operation of a government office or agency who has access to people working therein, and whether or not in collusion with them, facilitates speedy completion of transactions for pecuniary gain or any other advantage or consideration; (f) Government service – the process or transaction between applicants or requesting parties and government offices or agencies involving applications for any privilege, right, reward, license, clearance, permit or authorization, concession, of for any modification, renewal or extension of the enumerated applications or requests which are acted upon in the ordinary course of business of the agency or office concerned; (g) Highly technical application – an application which requires the use of technical knowledge, specialized skills and/or training in the processing and/or evaluation thereof; (h) Nonbusiness transactions – all other government transactions not falling under Section 4 (c) of this Act; (i) Officer or employee – a person employed in a government office or agency required to perform specific duties and responsibilities related to the application or request submitted by an applicant or requesting party for processing; (j) Processing time – the time consumed by an LGU or national government agency (NGA) from the receipt of an application or request with complete requirements, accompanying documents and payment of fees to the issuance of certification or such similar documents approving or disapproving an application or request; (k) Red tape – any regulation, rule, or administrative procedure or system that is ineffective or detrimental in achieving its intended objectives and, as a result, produces slow, suboptimal, and undesirable social outcomes; (l) Regulation – any legal instrument that gives effect to a government policy intervention and includes licensing, imposing information obligation, compliance to standards or payment of any form of fee, levy, charge or any other statutory and regulatory requirements necessary to carry out activity; and (m) Simple transactions – applications or requests submitted by applicants or requesting parties of a government office or agency which only require ministerial actions on the part of the public officer or employee, or that which present only inconsequential issues for the resolution by an officer or employee of said government. Section 5. Reengineering of Systems and Procedures. All offices and agencies which provide government services are hereby mandated to regularly undertake cost compliance analysis, time and motion studies, undergo evaluation and improvement of their transaction systems and procedures and reengineer the same if deemed necessary to reduce bureaucratic red tape and processing time. Section 6. Citizen’s Charter. All government agencies including departments, bureaus, offices, instrumentalities, or governmentowned and/or –controlled corporations, or LGUs shall set up their respective most current and updated service standards to be known as the Citizen’s Charter in the form of information billboards which shall be posted at the main entrance of offices or at the most conspicuous place, in their respective websites and in the form of published materials written either in English, Filipino, or in the local dialect, that detail: (a) A comprehensive and uniform checklist of requirements for each type of application or request; (b) The procedure to obtain a particular service; (c) The person/s responsible for each step; (d) The maximum time to conclude the process; (e) The document/s to be presented by the applicant or requesting party, if necessary; (f) The amount of fees, if necessary; and (g) The procedure for filing complaints. Section 7. Zero-Contact Policy. Except during the preliminary assessment of the request and evaluation of sufficiency of submitted requirements, no government officer or employee shall have any contact, in any manner, unless strictly necessary with any applicant or requesting party concerning an application or request. -notion na magpa-bayad Section 8. Accountability of Heads of Offices and Agencies. The head of the office or agency shall be primarily responsible for the implementation of this Act and shall be held accountable to the public in rendering fast, efficient, convenient and reliable service. Sec. 21. Violations and Persons Liable. (a) Refusal to accept application or request with complete requirements being submitted by an applicant or requesting party without due cause; (b) Imposition of additional requirements other than those listed in the Citizen’s Charter; (c) Imposition of additional costs not reflected in the Citizen’s Charter; (d) Failure to give the applicant or requesting party a written notice on the disapproval of an application or request; (e) Failure to render government services within the prescribed processing time on any application or request without due cause; (f) Failure to attend to applicants or requesting parties who are within the premises of the office or agency concerned prior to the end of official working hours and during lunch break; (g) Failure or refusal to issue official receipts; and REPUBLIC ACT NO. 10173 - Data Privacy Act of 2012 (h) Fixing and/or collusion with fixers in consideration of economic and/or other gain or advantage. Declaration of Policy. – It is the policy of the State to protect the fundamental human right of privacy, of communication while ensuring free flow of information to promote innovation and growth. The State recognizes the vital role of information and communications technology in nation-building and its inherent obligation to ensure that personal information in information and communications systems in the government and in the private sector are secured and protected. Sec. 22. Penalties and Liabilities. (a) First Offense: Administrative liability with six (6) months suspension: Provided, however, That in the case of fixing and/or collusion with fixers under Section 21(h), the penalty and liability under Section 22(b) of this Act shall apply. (b) Second Offense: Administrative liability and criminal liability of dismissal from the service, perpetual disqualification from holding public office and forfeiture of retirement benefits and imprisonment of one (1) year to six (6) years with a fine of not less than Five hundred thousand pesos (P500,000.00), but not more than Two million pesos (P2,000,000.00). Criminal liability shall also be incurred through the commission of bribery, extortion, or when the violation was done deliberately and maliciously to solicit favor in cash or in kind. In such cases, the pertinent provisions of the Revised Penal Code and other special laws shall apply. Sec. 25. Immunity, Discharge of Respondent/Accused to be a Witness. Co- Any public official or employee or any person having been charged with another offense under this Act and who voluntarily gives information pertaining to an investigation or who willingly testifies therefore, shall be exempt from prosecution in the case/s where his/her information and testimony are given. The discharge may be granted and directed by the investigating body or court upon the application or petition of any of the respondent/accusedinformant and before the termination of the investigation. ______________________________________ -to balance the rights of an individual (a constitutional right) and recognizing the role of information and communication -protects individuals from unauthorized processing of personal information that is: 1) private, not publicly available; and 2) identifiable, where the identity of the individual is apparent either through direct attribution or when put together through direct attribution or when put together with other available information. Definitions Consent of the data subject refers to any freely given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of personal information about and/or relating to him or her. Consent shall be evidenced by in written, electronic or recorded means. It may also be given on behalf of the data subject by an agent specifically authorized by the data subject to do so. Data subject refers to an individual whose personal information is processed. Personal information refers to any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual. Personal information controller refers to a person or organization who controls the collection, holding, processing or use of personal information, including a person or organization who instructs another person or organization to collect, hold, process, use, transfer or disclose personal information on his or her behalf. The term excludes: (1) A person or organization who performs such functions as instructed by another person or organization; and (2) An individual who collects, holds, processes or uses personal information in connection with the individual’s personal, family or household affairs. Personal information processor refers to any natural or juridical person qualified to act as such under this Act to whom a personal information controller may outsource the processing of personal data pertaining to a data subject. Processing refers to any operation or any set of operations performed upon personal information including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data. Privileged information refers to any and all forms of data which under the Rules of Court and other pertinent laws constitute privileged communication. Sensitive personal information refers to personal information: (1) About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations; (2) About an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings; (3) Issued by government agencies peculiar to an individual which includes, but not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and (4) Specifically established by an executive order or an act of Congress to be kept classified. Scope of Application This Act does not apply to the following: (a) Information about any individual who is or was an officer or employee of a government institution that relates to the position or functions of the individual, including: (1) The fact that the individual is or was an officer or employee of the government institution; (2) The title, business address and office telephone number of the individual; (3) The classification, salary range and responsibilities of the position held by the individual; and (4) The name of the individual on a document prepared by the individual in the course of employment with the government; (b) Information about an individual who is or was performing service under contract for a government institution that relates to the services performed, including the terms of the contract, and the name of the individual given in the course of the performance of those services; (c) Information relating to any discretionary benefit of a financial nature such as the granting of a license or permit given by the government to an individual, including the name of the individual and the exact nature of the benefit; (d) Personal information processed for journalistic, artistic, literary or research purposes; (e) Information necessary in order to carry out the functions of public authority which includes the processing of personal data for the performance by the independent, central monetary authority and law enforcement and regulatory agencies of their constitutionally and statutorily mandated functions. Nothing in this Act shall be construed as to have amended or repealed Republic Act No. 1405, otherwise known as the Secrecy of Bank Deposits Act; Republic Act No. 6426, otherwise known as the Foreign Currency Deposit Act; and Republic Act No. 9510, otherwise known as the Credit Information System Act (CISA); (f) Information necessary for banks and other financial institutions under the jurisdiction of the independent, central monetary authority or Bangko Sentral ng Pilipinas to comply with Republic Act No. 9510, and Republic Act No. 9160, as amended, otherwise known as the AntiMoney Laundering Act and other applicable laws; and (g) Personal information originally collected from residents of foreign jurisdictions in accordance with the laws of those foreign jurisdictions, including any applicable data privacy laws, which is being processed in the Philippines. SEC. 5. Protection Afforded to Journalists and Their Sources. Publishers, editors or duly accredited reporters of any newspaper, magazine or periodical of general circulation are still protected from being compelled to reveal the source of any news report or information appearing in said publication which was related in any confidence to such publisher, editor, or reporter. SEC. 6. Extraterritorial Application. – This Act applies to an act done or practice engaged in and outside of the Philippines by an entity if: (a) The act, practice or processing relates to personal information about a Philippine citizen or a resident; (b) The entity has a link with the Philippines, and the entity is processing personal information in the Philippines or even if the processing is outside the Philippines as long as it is about Philippine citizens or residents such as, but not limited to, the following: (1) A contract is entered in the Philippines; (2) A juridical entity unincorporated in the Philippines but has central management and control in the country; and (3) An entity that has a branch, agency, office or subsidiary in the Philippines and the parent or affiliate of the Philippine entity has access to personal information; and (c) The entity has other links in the Philippines such as, but not limited to: (1) The entity carries on business in the Philippines; and (2) The personal information was collected or held by an entity in the Philippines. NATIONAL PRIVACY COMMISSION -an independent body mandated by this Act to administer and implement the provisions of this Act, and to monitor and ensure compliance of the country with international standards set for data protection. -protects individual personal information and upholds the right to privacy by regulating the processing of personal information. Data Privacy Principles PRINCIPLE OF TRANSPARENCY -requires that the purpose for processing a person’s data should be determined and disclosed before its collection or as soon as practicable -data subject must be aware of the purpose; risks must be known PRINCIPLE OF LEGITIMATE PURPOSE -requires that the collection and processing of information must also be compatible with a declared and specified purpose, which must not be contrary to law, morals, or public policy PRINCIPLE OF PROPORTIONALITY -requires that the processing of personal information must be relevant to, and must not exceed, the declared purpose DATA QUALITY PRINCIPLE -requires that personal data should be accurate and kept up to date. It also requires that inaccurate or incomplete data be rectified, supplemented, destroyed, or restricted *rectified-corrected Processing of Personal Data SEC. 12. Criteria for Lawful Processing of Personal Information. – The processing of personal information shall be permitted only if not otherwise prohibited by law, and when at least one of the following conditions exists: (a) The data subject has given his or her consent; (b) The processing of personal information is necessary and is related to the fulfillment of a contract with the data subject or in order to take steps at the request of the data subject prior to entering into a contract; (c) The processing is necessary for compliance with a legal obligation to which the personal information controller is subject; (d) The processing is necessary to protect vitally important interests of the data subject, including life and health; (e) The processing is necessary in order to respond to national emergency, to comply with the requirements of public order and safety, or to fulfill functions of public authority which necessarily includes the processing of personal data for the fulfillment of its mandate; or (f) The processing is necessary for the purposes of the legitimate interests pursued by the personal information controller or by a third party or parties to whom the data is disclosed, except where such interests are overridden by fundamental rights and freedoms of the data subject which require protection under the Philippine Constitution. SEC. 14. Subcontract of Personal Information. – A personal information controller may subcontract the processing of personal information: Provided, That the personal information controller shall be responsible for ensuring that proper safeguards are in place to ensure the confidentiality of the personal information processed, prevent its use for unauthorized purposes, and generally, comply with the requirements of this Act and other laws for processing of personal information. Rights of Data Subject SEC. 16. Rights of the Data Subject. – The data subject is entitled to: (a) Be informed whether personal information pertaining to him or her shall be, are being or have been processed; (b) Be furnished the information indicated hereunder before the entry of his or her personal information into the processing system of the personal information controller, or at the next practical opportunity: (1) Description of the personal information to be entered into the system; (2) Purposes for which they are being or are to be processed; (3) Scope and method of the personal information processing; (4) The recipients or classes of recipients to whom they are or may be disclosed; (5) Methods utilized for automated access, if the same is allowed by the data subject, and the extent to which such access is authorized; (6) The identity and contact details of the personal information controller or its representative; (7) The period for which the information will be stored; and (8) The existence of their rights, i.e., to access, correction, as well as the right to lodge a complaint before the Commission. RIGHTS OF THE DATA SUBJECT To be informed To object To access To rectification To erasure or blocking o incomplete, false, outdated, for illegal purpose, purpose is done To damages o Rights are violated To data portability o obtain a copy of data undergoing processing Data Breach Notification a. The Commission shall be notified within seventy-two (72) hours upon knowledge of or the reasonable belief by the personal information controller or personal information processor that a personal data breach has occurred. b. Notification of personal data breach shall be required when sensitive personal information or any other information that may be, under the circumstances, be used to enable identity fraud are reasonably believed to have been acquired by an unauthorized person, and the personal information controller or the Commission believes that such unauthorized acquisition is likely to give rise to a real risk of serious harm to any affected data subject. c. Depending on the nature of the incident, or if there is delay or failure to notify, the Commission may investigate the circumstances surrounding the personal data breach. Investigations may include on-site examination of systems and procedures. Outsourcing and Subcontracting Agreements o A separate provision in IRR Subcontract of Personal Information. – A personal information controller may subcontract the processing of personal data: Provided, That the personal information controller shall use contractual or other reasonable means to ensure that proper safeguards are in place, to ensure the confidentiality, integrity, and availability of the personal data processed, prevent its use for unauthorized purposes, and generally, comply with the requirements of this Act, these Rules, other applicable laws for processing of personal data, and other issuances of the Commission. -both controller and subcontractor must comply with the Act Registration and Compliance Requirements Who needs to register? Companies with at least 250 employees or access to the personal and identifiable information of at least 1,000 people are required to register with the National Privacy Commission and comply with the Data Privacy Act of 2012. Some of these companies are already on their way to compliance – but many more are unaware that they are even affected by the law. -Some are not required to register but they are still required to comply with this Act Compliance: *pag need mag register -Appointing a Data Protection Officer -Conducting a privacy impact assessment -Creating a privacy impact assessment -Implementing a privacy knowledge management program -Exercising a breach reporting procedure Penalties: Corresponding penalties including imprisonment, fine and disqualification to occupy public office: a. Unauthorized processing of personal information and personal sensitive information b. Accessing Personal Information and Sensitive Personal Information Due to Negligence c. Improper Disposal of Personal Information and Sensitive Personal Information d. Processing of Personal Information and Sensitive Personal Information for Unauthorized Purposes e. Unauthorized Access or International Breach f. Concealment of Security Breaches involving Sensitive Personal Information g. Malicious Disclosure h. Unauthorized Disclosure Large-Scale. – The maximum penalty in the scale of penalties respectively provided for the preceding offenses shall be imposed when the personal information of at least one hundred (100) persons is harmed, affected or involved as the result of the above mentioned actions. -additional no. of years for imprisonment and higher amount of fine