DATA PRIVACY ACT person or organization who instructs another person or organization to collect,

hold, process, use, transfer or disclose personal information on his or her behalf.
1. Define the following:
The term excludes:

a. Personal Data
(1) A person or organization who performs such functions as instructed by another

Refers to any information whether recorded in a material form or not, from which person or organization; and

the identity of an individual is apparent or can be reasonably and directly

(2) An individual who collects, holds, processes or uses personal information in
ascertained by the entity holding the information, or when put together with other
connection with the individual’s personal, family or household affairs.
information would directly and certainly identify an individual.
d. Data Processor
b. Sensitive Data
Refers to any natural or juridical person qualified to act as such under this Act to
Refers to personal information.
whom a personal information controller may outsource the processing of personal

(1) About an individual’s race, ethnic origin, marital status, age, color, and data pertaining to a data subject.

religious, philosophical or political affiliations;

e. Privileged Information

(2) About an individual’s health, education, genetic or sexual life of a person, or to

Refers to any and all forms of data which under the Rules of Court and other
any proceeding for any offense committed or alleged to have been committed by
pertinent laws constitute privileged communication.
such person, the disposal of such proceedings, or the sentence of any court in
such proceedings; d. Processing

(3) Issued by government agencies peculiar to an individual which includes, but Refers to any operation or any set of operations performed upon personal
not limited to, social security numbers, previous or cm-rent health records, licenses information including, but not limited to, the collection, recording, organization,
or its denials, suspension or revocation, and tax returns; and storage, updating or modification, retrieval, consultation, use, consolidation,
blocking, erasure or destruction of data.
(4) Specifically established by an executive order or an act of Congress to be kept
classified.

c. Data Controller 2. What are the scope of applications of the laws/regulations?

Refers to a person or organization who controls the collection, holding, processing This Act applies to the processing of all types of personal information and to any
or use of personal information, including a natural and juridical person involved in personal information processing including

1
those personal information controllers and processors who, although not found or (d) Personal information processed for journalistic, artistic, literary or research
established in the Philippines, use equipment that are located in the Philippines, or purposes;
those who maintain an office, branch or agency in the Philippines subject to the
(e) Information necessary in order to carry out the functions of public authority
immediately succeeding paragraph: Provided, That the requirements of Section 5
which includes the processing of personal data for the performance by the
are complied with.
independent, central monetary authority and law enforcement and regulatory
This Act does not apply to the following: agencies of their constitutionally and statutorily mandated functions. Nothing in this
Act shall be construed as to have amended or repealed Republic Act No. 1405,
(a) Information about any individual who is or was an officer or employee of a
otherwise known as the Secrecy of Bank Deposits Act; Republic Act No. 6426,
government institution that relates to the position or functions of the individual,
otherwise known as the Foreign Currency Deposit Act; and Republic Act No. 9510,
including:
otherwise known as the Credit Information System Act (CISA);

(1) The fact that the individual is or was an officer or employee of the government
(f) Information necessary for banks and other financial institutions under the
institution;
jurisdiction of the independent, central monetary authority or Bangko Sentral ng

(2) The title, business address and office telephone number of the individual; Pilipinas to comply with Republic Act No. 9510, and Republic Act No. 9160, as
amended, otherwise known as the Anti-Money Laundering Act and other
(3) The classification, salary range and responsibilities of the position held by the applicable laws; and
individual; and
(g) Personal information originally collected from residents of foreign jurisdictions
(4) The name of the individual on a document prepared by the individual in the in accordance with the laws of those foreign jurisdictions, including any applicable
course of employment with the government; data privacy laws, which is being processed in the Philippines.

(b) Information about an individual who is or was performing service under contract
for a government institution that relates to the services performed, including the
terms of the contract, and the name of the individual given in the course of the 3. What are the Data Privacy Principles under the law?

performance of those services;

SEC. 11. General Data Privacy Principles. – The processing of personal

(c) Information relating to any discretionary benefit of a financial nature such as the information shall be allowed, subject to compliance with the requirements of this

granting of a license or permit given by the government to an individual, including Act and other laws allowing disclosure of information to the public and adherence

the name of the individual and the exact nature of the benefit; to the principles of transparency, legitimate purpose and proportionality.

Personal information must, be:

2
(a) Collected for specified and legitimate purposes determined and declared SEC. 12. Criteria for Lawful Processing of Personal Information. – The processing
before, or as soon as reasonably practicable after collection, and later processed of personal information shall be permitted only if not otherwise prohibited by law,
in a way compatible with such declared, specified and legitimate purposes only; and when at least one of the following conditions exists:

(b) Processed fairly and lawfully; (a) The data subject has given his or her consent;

(c) Accurate, relevant and, where necessary for purposes for which it is to be used (b) The processing of personal information is necessary and is related to the
the processing of personal information, kept up to date; inaccurate or incomplete fulfillment of a contract with the data subject or in order to take steps at the request
data must be rectified, supplemented, destroyed or their further processing of the data subject prior to entering into a contract;
restricted;
(c) The processing is necessary for compliance with a legal obligation to which the
(d) Adequate and not excessive in relation to the purposes for which they are personal information controller is subject;
collected and processed;
(d) The processing is necessary to protect vitally important interests of the data
(e) Retained only for as long as necessary for the fulfillment of the purposes for subject, including life and health;
which the data was obtained or for the establishment, exercise or defense of legal
(e) The processing is necessary in order to respond to national emergency, to
claims, or for legitimate business purposes, or as provided by law; and
comply with the requirements of public order and safety, or to fulfill functions of
(f) Kept in a form which permits identification of data subjects for no longer than is public authority which necessarily includes the processing of personal data for the
necessary for the purposes for which the data were collected and processed: fulfillment of its mandate; or
Provided, That personal information collected for other purposes may lie
(f) The processing is necessary for the purposes of the legitimate interests pursued
processed for historical, statistical or scientific purposes, and in cases laid down in
by the personal information controller or by a third party or parties to whom the
law may be stored for longer periods: Provided, further,That adequate safeguards
data is disclosed, except where such interests are overridden by fundamental
are guaranteed by said laws authorizing their processing.
rights and freedoms of the data subject which require protection under the
The personal information controller must ensure implementation of personal Philippine Constitution.
information processing principles set out herein.

5. What are the security measures for protection of personal data?

4. What types of processing are covered and exempted?
SEC. 20. Security of Personal Information. – (a) The personal information
controller must implement reasonable and appropriate organizational, physical and

3
technical measures intended for the protection of personal information against any (d) The personal information controller must further ensure that third parties
accidental or unlawful destruction, alteration and disclosure, as well as against any processing personal information on its behalf shall implement the security
other unlawful processing. measures required by this provision.

(b) The personal information controller shall implement reasonable and appropriate (e) The employees, agents or representatives of a personal information controller
measures to protect personal information against natural dangers such as who are involved in the processing of personal information shall operate and hold
accidental loss or destruction, and human dangers such as unlawful access, personal information under strict confidentiality if the personal information is not
fraudulent misuse, unlawful destruction, alteration and contamination. intended for public disclosure. This obligation shall continue even after leaving the
public service, transfer to another position or upon termination of employment or
(c) The determination of the appropriate level of security under this section must
contractual relations.
take into account the nature of the personal information to be protected, the risks
represented by the processing, the size of the organization and complexity of its (f) The personal information controller shall promptly notify the Commission and
operations, current data privacy best practices and the cost of security affected data subjects when sensitive personal information or other information
implementation. Subject to guidelines as the Commission may issue from time to that may, under the circumstances, be used to enable identity fraud are reasonably
time, the measures implemented must include: believed to have been acquired by an unauthorized person, and the personal
information controller or the Commission believes (bat such unauthorized
(1) Safeguards to protect its computer network against accidental, unlawful or
acquisition is likely to give rise to a real risk of serious harm to any affected data
unauthorized usage or interference with or hindering of their functioning or
subject. The notification shall at least describe the nature of the breach, the
availability;
sensitive personal information possibly involved, and the measures taken by the

(2) A security policy with respect to the processing of personal information; entity to address the breach. Notification may be delayed only to the extent
necessary to determine the scope of the breach, to prevent further disclosures, or
(3) A process for identifying and accessing reasonably foreseeable vulnerabilities to restore reasonable integrity to the information and communications system.
in its computer networks, and for taking preventive, corrective and mitigating action
against security incidents that can lead to a security breach; and (1) In evaluating if notification is unwarranted, the Commission may take into
account compliance by the personal information controller with this section and
(4) Regular monitoring for security breaches and a process for taking preventive, existence of good faith in the acquisition of personal information.
corrective and mitigating action against security incidents that can lead to a
security breach. (2) The Commission may exempt a personal information controller from notification
where, in its reasonable judgment, such notification would not be in the public
interest or in the interests of the affected data subjects.

4
(3) The Commission may authorize postponement of notification where it may Any information supplied or declaration made to the data subject on these matters
hinder the progress of a criminal investigation related to a serious breach. shall not be amended without prior notification of data subject: Provided, That the
notification under subsection (b) shall not apply should the personal information be
needed pursuant to a subpoena or when the collection and processing are for

6. What are the Rights of Data Subjects? obvious purposes, including when it is necessary for the performance of or in
relation to a contract or service or when necessary or desirable in the context of an
SEC. 16. Rights of the Data Subject. – The data subject is entitled to: employer-employee relationship, between the collector and the data subject, or
when the information is being collected and processed as a result of legal
(a) Be informed whether personal information pertaining to him or her shall be, are
obligation;
being or have been processed;

(c) Reasonable access to, upon demand, the following:

(b) Be furnished the information indicated hereunder before the entry of his or her
personal information into the processing system of the personal information (1) Contents of his or her personal information that were processed;
controller, or at the next practical opportunity:
(2) Sources from which personal information were obtained;
(1) Description of the personal information to be entered into the system;
(3) Names and addresses of recipients of the personal information;
(2) Purposes for which they are being or are to be processed;
(4) Manner by which such data were processed;
(3) Scope and method of the personal information processing;
(5) Reasons for the disclosure of the personal information to recipients;
(4) The recipients or classes of recipients to whom they are or may be disclosed;
(6) Information on automated processes where the data will or likely to be made as
(5) Methods utilized for automated access, if the same is allowed by the data the sole basis for any decision significantly affecting or will affect the data subject;
subject, and the extent to which such access is authorized;
(7) Date when his or her personal information concerning the data subject were
(6) The identity and contact details of the personal information controller or its last accessed and modified; and
representative;
(8) The designation, or name or identity and address of the personal information
(7) The period for which the information will be stored; and controller;

(8) The existence of their rights, i.e., to access, correction, as well as the right to d) Dispute the inaccuracy or error in the personal information and have the
personal information controller correct it immediately and accordingly, unless the
lodge a complaint before the Commission.
request is vexatious or otherwise unreasonable. If the personal information have
5
been corrected, the personal information controller shall ensure the accessibility of (5.) Right to Erasure or Bocking – right to suspend, withdraw or order the blocking,
both the new and the retracted information and the simultaneous receipt of the removal or destruction of his or her personal data if the same is incomplete,
new and the retracted information by recipients thereof: Provided, That the third outdated, unlawfully gathered, etc.
parties who have previously received such processed personal information shall
(6.) Right to Damages – data subject shall be indemnified for any damages
he informed of its inaccuracy and its rectification upon reasonable request of the
sustained due to such inaccurate, incomplete, or unlawfully obtained personal data
data subject;

(e) Suspend, withdraw or order the blocking, removal or destruction of his or her
personal information from the personal information controller’s filing system upon 7. Explain Data Breach Notification (Requirement and Procedure).
discovery and substantial proof that the personal information are incomplete,
outdated, false, unlawfully obtained, used for unauthorized purposes or are no (1) The commission and the affected data subject shall be notified by PIC within 72

longer necessary for the purposes for which they were collected. In this case, the hours upon knowledge of data breach.

personal information controller may notify third parties who have previously
(2) Notification of personal data breach shall be required when sensitive personal
received such processed personal information; and
information or any other information

(f) Be indemnified for any damages sustained due to such inaccurate, incomplete,
(3) Notification shall at least describe (a) the nature of the breach; (b) the personal
outdated, false, unlawfully obtained or unauthorized use of personal information.
data possibly involved; (c) and measures taken by the entity to address the

Shorter Version : breach.

(1.) Right to Information – be informed whether personal information pertaining to

him is being processed; be notified and furnished with information about the data
8. Explain Outsourcing and Subcontracting agreements.
gathered and all about its processing.
Section 43. Subcontract of Personal Data. A personal information controller may
(2.) Right to Object – right to object in processing his or her personal data
subcontract or outsource the processing of personal data: Provided, that the
(3.) Right to Access – access upon DEMAND, to his or her personal data, sources, personal information controller shall use contractual or other reasonable means to
recipients, manner of processing ensure that proper safeguards are in place, to ensure the confidentiality, integrity
and availability of the personal data processed, prevent its use for unauthorized
(4.) Right to Rectification/Correct – right to dispute the inaccuracy or error in the purposes, and generally, comply with the requirements of the Act, these Rules,
personal data and have the PIC to correct it. other applicable laws for processing of personal data, and other issuances of the
Commission.

6
Section 44. Agreements for Outsourcing. Processing by a personal information 6. Assist the personal information controller in ensuring compliance with the Act,
processor shall be governed by a contract or other legal act that binds the personal these Rules, other relevant laws, and other issuances of the Commission, taking
information processor to the personal information controller. into account the nature of processing and the information available to the personal
information processor;
a. The contract or legal act shall set out the subject-matter and duration of the
processing, the nature and purpose of the processing, the type of personal data 7. At the choice of the personal information controller, delete or return all personal
and categories of data subjects, the obligations and rights of the personal data to the personal information controller after the end of the provision of services
information controller, and the geographic location of the processing under the relating to the processing: Provided, that this includes deleting existing copies
subcontracting agreement. unless storage is authorized by the Act or another law;

b. The contract or other legal act shall stipulate, in particular, that the personal 8. Make available to the personal information controller all information necessary
information processor shall: to demonstrate compliance with the obligations laid down in the Act, and allow for
and contribute to audits, including inspections, conducted by the personal
1. Process the personal data only upon the documented instructions of the
information controller or another auditor mandated by the latter;
personal information controller, including transfers of personal data to another
country or an international organization, unless such transfer is authorized by law; 9. Immediately inform the personal information controller if, in its opinion, an
instruction infringes the Act, these Rules, or any other issuance of the
2. Ensure that an obligation of confidentiality is imposed on persons authorized to
Commission.
process the personal data;

3. Implement appropriate security measures and comply with the Act, these Rules,
and other issuances of the Commission; 9. Explain Registration and Compliance requirements.

4. Not engage another processor without prior instruction from the personal Section 46. Enforcement of the Data Privacy Act. Pursuant to the mandate of the
information controller: Provided, that any such arrangement shall ensure that the Commission to administer and implement the Act, and to ensure the compliance of
same obligations for data protection under the contract or legal act are personal information controllers with its obligations under the law, the Commission
implemented, taking into account the nature of the processing; requires the following:

5. Assist the personal information controller, by appropriate technical and a. Registration of personal data processing systems operating in the country that
organizational measures and to the extent possible, fulfill the obligation to respond involves accessing or requiring sensitive personal information of at least one
to requests by data subjects relative to the exercise of their rights; thousand (1,000) individuals, including the personal data processing system of
contractors, and their personnel, entering into contracts with government agencies;
7
b. Notification of automated processing operations where the processing becomes 6. A general description of privacy and security measures for data protection;
the sole basis of making decisions that would significantly affect the data subject;
7. Brief description of the data processing system;
c. Annual report of the summary of documented security incidents and personal
8. Copy of all policies relating to data governance, data privacy, and information
data breaches;
security;
d. Compliance with other requirements that may be provided in other issuances of
9. Attestation to all certifications attained that are related to information and
the Commission.
communications processing; and
Section 47. Registration of Personal Data Processing Systems.
10. Name and contact details of the compliance or data protection officer, which
The personal information controller or personal information processor that employs shall immediately be updated in case of changes.
fewer than two hundred fifty (250) persons shall not be required to register unless
b. The procedure for registration shall be in accordance with these Rules and other
the processing it carries out is likely to pose a risk to the rights and freedoms of
issuances of the Commission.
data subjects, the processing is not occasional, or the processing includes
sensitive personal information of at least one thousand (1,000) individuals.
Section 48. Notification of Automated Processing Operations. The personal
information controller carrying out any wholly or partly automated processing
a. The contents of registration shall include:
operations or set of such operations intended to serve a single purpose or several
1. The name and address of the personal information controller or personal related purposes shall notify the Commission when the automated processing
information processor, and of its representative, if any, including their contact becomes the sole basis for making decisions about a data subject, and when the
details; decision would significantly affect the data subject.

2. The purpose or purposes of the processing, and whether processing is being a. The notification shall include the following information:
done under an outsourcing or subcontracting agreement;
1. Purpose of processing;
3. A description of the category or categories of data subjects, and of the data or
2. Categories of personal data to undergo processing;
categories of data relating to them;

3. Category or categories of data subject;

4. The recipients or categories of recipients to whom the data might be disclosed;

4. Consent forms or manner of obtaining consent;

5. Proposed transfers of personal data outside the Philippines;

8
5. The recipients or categories of recipients to whom the data are to be disclosed; e. Processing of personal data for research purposes, public functions, or
commercial activities;
6. The length of time the data are to be stored;
f. Any reported violation of the rights and freedoms of data subjects;
7. Methods and logic utilized for automated processing;
g. Other matters necessary to ensure the effective implementation and
8. Decisions relating to the data subject that would be made on the basis of
administration of the Act, these Rules, and other issuances of the Commission.
processed data or that would significantly affect the rights and freedoms of data
subject; and

9. Names and contact details of the compliance or data protection officer. ELECTRONIC COMMERCE ACT

b. No decision with legal effects concerning a data subject shall be made solely on 1. Explain the principles of the law.

the basis of automated processing without the consent of the data subject.
This Act aims to facilitate domestic and international dealings, transactions,
arrangements, agreements, contracts and exchanges and storage of information
Section 49. Review by the Commission.
through the utilization of electronic, optical and similar medium, mode,
The following are subject to the review of the Commission, upon its own initiative instrumentality and technology to recognize the authenticity and reliability of
or upon the filing of a complaint by a data subject: electronic data messages or electronic documents related to such activities and to
promote the universal use of electronic transactions in the government and by the
a. Compliance by a personal information controller or personal information general public.
processor with the Act, these Rules, and other issuances of the Commission;

b. Compliance by a personal information controller or personal information

processor with the requirement of establishing adequate safeguards for data 2. What is the application of the law?

privacy and security;

This Act shall apply to any kind of electronic data message and electronic
document used in the context of commercial and non-commercial activities to
c. Any data sharing agreement, outsourcing contract, and similar contracts
include domestic and international dealings, transactions, arrangements,
involving the processing of personal data, and its implementation;
agreements, contracts and exchanges and storage of information.
d. Any off-site or online access to sensitive personal data in government allowed
by a head of agency;

9
3. Define :

a. “Addressee” - refers to a person who is intended by the originator to receive the 4. Explain the difference “Legal Recognition of Electronic Data Messages
electronic data message or electronic document, but does not include a person and Electronic Documents.”
acting as an intermediary with respect to that electronic data message or electronic
Legal Recognition of Electronic Data Messages: Information shall not be denied
data document.
validity or enforceability solely on the ground that it is in the form of electronic data
b. “Electronic document” - refers to information or the representation of message purporting to give rise to such legal effect, or that it is merely
information, data, figures, symbols or other modes of written expression, described incorporated by reference in that electronic data message.
or however represented, by which a right is established or an obligation
Legal Recognition of Electronic documents:
extinguished, or by which a fact may be prove and affirmed, which is receive,
recorded, transmitted, stored, processed, retrieved or produced electronically. For evidentiary purposes, an electronic document shall be the functional equivalent
of a written document under existing laws.
c. “Electronic signature” - refers to any distinctive mark, characteristic and/or
sound in electronic from, representing the identity of a person and attached to or The Act does not modify any statutory rule relating to admissibility of electronic
logically associated with the electronic data message or electronic document or data massages or electronic documents, except the rules relating to authentication
any methodology or procedures employed or adopted by a person and executed and best evidence.
or adopted by such person with the intention of authenticating or approving an
electronic data message or electronic document. Electronic documents shall have the legal effect, validity or enforceability as any
other document or legal writing, and:
d. “Electronic data message” - " refers to information generated, sent, received or
stored by electronic, optical or similar means. a. Where the law requires a document to be in writing, that requirement is met by
an electronic document if the said electronic document: i. maintains its integrity
e. “Intermediary” - refers to a person who in behalf of another person and with and reliability and ii. can be authenticated so as to be usable for subsequent
respect to a particular electronic document sends, receives and/or stores, provides reference, in that:
other services in respect of that electronic data message or electronic document.
(1) The electronic document has remained complete and unaltered, apart from the
f. “Originator” - refers to a person by whom, or on whose behalf, the electronic addition of any endorsement and any authorized change, or any change which
document purports to have been created, generated and/or sent. The term does arises in the normal course of communication, storage and display; and
not include a person acting as an intermediary with respect to that electronic
document. (2) The electronic document is reliable in the light of the purpose for which it was
generated and in the light of all relevant circumstances.

10
b. Paragraph (a) applies whether the requirement therein is in the form of an the corresponding credit to another, whether such transaction is initiated by the
obligation or whether the law simply provides consequences for the document not depositor or by an authorized collecting party: Provided, That the obligation of one
being presented or retained in its original form. bank, entity, or person similarly situated to another arising therefrom shall be
considered absolute and shall not be subjected to the process of preference of
c. Where the law requires that a document be presented or retained in its original
credits.
form, that requirement is met by an electronic document if

i. There exists a reliable assurance as to the integrity of the document from the
time when it was first generated in its final form; and 6. What are the rules governing “Agreement on Acknowledgement of Receipt
of Electronic Data Messages or Electronic Documents.”
ii. That document is capable of being displayed to the person to whom it is to be
presented: Provided, That no provision of the Act shall apply to vary any and all General Rule : No acknowledgement of receipt is necessary.
requirements of existing laws on formalities required in the execution of documents
Except : if the parties agree to it; or when the originator requested in the electronic
for their validity.
data message or electronic document.

Method of Acknowledgment :
5. Explain the “Validity of Electronic Contracts.”
1. Agreement as to a particular method – to be followed;
SEC (16). Formation and Validity of Electronic Contracts. — (1) Except as
2. No agreement on a particular method:
otherwise agreed by the parties, an offer, the acceptance of an offer and such
other elements required under existing laws for the formation of contracts may be a. Any communication by the addressee;
expressed in, demonstrated and proved by means of electronic data messages or
electronic documents and no contract shall be denied validity or enforceability on b. Any conduct of the addressee sufficient to indicate receipt to the originator

the sole ground that it is in the form of an electronic data message or electronic
When the originator can regard that the EMD/ED was not received when there is
document, or that any or all of the elements required under existing laws for the
no acknowledgement:
formation of the contracts is expressed, demonstrated and proved by means of
electronic data messages or electronic documents. 1. When the originator stated the effect or significance of acknowledgment or
the ED is CONDITIONAL upon receipt
(2) Electronic transactions made through networking among banks, or linkages
thereof with other entities or networks, and vice versa, shall be deemed 2. No statement as to effect/significance but originator gave notice stating
consummated upon the actual dispensing of cash or the debit of one account and that no acknowledgement has been received and specifying a reasonable

11
 time by which acknowledgement is to be received, and no g. acquiring or transferring rights and obligations under the contract.
acknowledgement is received within such reasonable time.

8. What are the requirements of the law to the government agencies?

7. What are the actions related to Contracts of Carriage of Goods. SEC (26). Government Use of Electronic Data Messages, Electronic Documents
and Electronic Signatures. — Notwithstanding any law to the contrary, within two
Applies to any action in connection with, or in pursuance of, a contract of carriage
(2) years from the date of the effectivity of this Act, all departments, bureaus,
of goods, including but not limited to:
offices and agencies of the government, as well as all government-owned and
a. furnishing the marks, number, quantity or weight of goods; -controlled corporations, that pursuant to law require or accept the filing of
documents, require that documents be created, or retained and/or submitted, issue
stating or declaring the nature or value of goods; permits, licenses or certificates of registration or approval, or provide for the
method and manner of payment or settlement of fees and other obligations to the
issuing a receipt for goods;
government, shall —
confirming that goods have been loaded;
(a) accept the creation, filing or retention of such documents in the form or
b. notifying a person of terms and conditions of the contract; electronic data messages or electronic documents;

giving instructions to a carrier; (b) issue permits, licenses, or approval in the form of electronic data messages or
electronic documents;
c. claiming delivery of goods;
(c) require and/or accept payments, and issue receipts acknowledging such
authorizing release of goods;
payments, through systems using electronic data messages or electronic
giving notice of loss of, or damage to goods; documents; or

d. giving any other notice or statement in connection with the performance of the (d) transact the government business and/or perform governmental functions using
contract; electronic data messages or electronic documents, and for the purpose, are
authorized to adopt and promulgate, after appropriate public hearing and with due
e. undertaking to deliver goods to a named person or a person authorized to claim
publication in newspapers of general circulation, the appropriate rules, regulations,
delivery;
or guidelines, to among others, specify —

f. granting, acquiring, renouncing, surrendering, transferring or negotiating rights

in goods;
12
1) the manner and format in which such electronic data messages or electronic property as well as to establish effective practices, aimed at efficient turnaround of
documents shall be filed, created, retained or issued; the delivery of government services and the prevention of graft and corruption in
government. Towards this end, the State shall maintain honesty and responsibility
2) where and when such electronic data messages or electronic documents have
among its public officials and employees, and shall take appropriate measures to
to be signed, the use of an electronic signature, the type of electronic signature
promote transparency in each agency with regard to the manner of transacting
required;
with the public, which shall encompass a program for the adoption of simplified

3) the format of an electronic data message or electronic document and the requirements and procedures that will reduce red tape and expedite business and

manner the electronic signature shall be affixed to the electronic data message or nonbusiness related transactions in government.

electronic document;

4) the control processes and procedures as appropriate to ensure adequate

2. Define :
integrity, security and confidentiality of electronic data messages or electronic
documents or records or payments; a. “Action” - refers to the written approval or disapproval made by a government
office or agency on the application or request submitted by an applicant or
5) other attributes required of electronic data messages or electronic documents or
requesting party for processing;
payments; and
b. “Citizen Charter” - is an official document, a service standard, or a pledge, that
6) the full or limited use of the documents and papers for compliance with the
communicates, in simple terms, information on the services provided by the
government requirements: Provided, That this Act shall by itself mandate any
government to its citizens pursuant to Section 6 of RA 11032. It describes in detail
department of the government, organ of state or statutory corporation to accept or
the:
issue any document in the form of electronic data messages or electronic
documents upon the adoption, promulgation and publication of the appropriate (a) A comprehensive and uniform checklist of requirements for each type of
rules, regulations, or guidelines. application or request;

(b) The procedure to obtain a particular service;

EASE OF DOING BUSINESS AND EFFICIENT DELIVERY OF GOVERNMENT
SERVICE DELIVERY ACT (c) The person/s responsible for each step;

1. What are the Policy, Constructions and Interpretation of the law? (d) The maximum time to conclude the process;

Sec. 2. Declaration of Policy. – It is hereby declared the policy of the State to (e) The document/s to be presented by the applicant or requesting party, if
promote integrity, accountability, proper management of public affairs and public necessary;
13
(f) The amount of fees, if necessary; an i. “Red Tape” - any regulation, rule, or administrative procedure or system that is
ineffective or detrimental in achieving its intended objectives and, as a result,
c. “Complex Transactions” - applications or requests submitted by applicants or
produces slow, suboptimal, and undesirable social outcomes;
requesting parties of a government office which necessitate evaluation in the
resolution of complicated issues by an officer or employee of said government j. “Working Day” - refers to a day where officers and employees are required to
office, such transactions to be determined by the office concerned; render work

d. “Fixing” - refers to the act that involves undue facilitation of transactions for
pecuniary gain or any other advantage or consideration
3. What are the coverages and scope of the law?
e. “Fixer” - any individual whether or not officially involved in the operation of a
Sec. 3 . Coverage. – This Act shall apply to all government offices and agencies
government office or agency who has access to people working therein, and
including local government units (LGUs), government-owned or controlled
whether or not in collusion with them, facilitates speedy completion of transactions
corporations and other government instrumentalities, whether located in the
for pecuniary gain or any other advantage or consideration;
Philippines or abroad, that provide services covering business and nonbusiness
f. “Highly Technical Application or Transaction” - an application which requires the related transactions as defined in this Act.
use of technical knowledge, specialized skills and/or training in the processing
and/or evaluation thereof;
4. What are prescribed methods under the law in the reengineering of the
g. “Ministerial” - is an act or duty which an officer or tribunal performs in a given system and procedures of government agencies.
state of facts, in a prescribed manner, in obedience to the mandate of a legal
Sec. 5. Reengineering of Systems and Procedures. – All offices and agencies
authority, without regard to or the exercise of his own judgment upon the propriety
which provide government services are hereby mandated to regularly undertake
or impropriety of the act done. A duty is ministerial only when the discharge of the
cost compliance analysis, time and motion studies, undergo evaluation and
same requires neither the exercise of official discretion or judgment.
improvement of their transaction systems and procedures and reengineer the
h. “Prescribed Processing Time” - the time consumed by an LGU or national same if deemed necessary to reduce bureaucratic red tape and processing time.
government agency (NGA) from the receipt of an application or request with
The Anti-Red Tape Authority, created in this Act, shall coordinate with all
complete requirements, accompanying documents and payment of fees to the
government offices covered under Section 3 of this Act in the review of existing
issuance of certification or such similar documents approving or disapproving an
laws, executive issuances and local ordinances, and recommend the repeal of the
application or request;
same if deemed outdated, redundant, and adds undue regulatory burden to the
transacting public.

14
All proposed regulations of government agencies under Section 3 of this Act shall (f) The amount of fees, if necessary; and
undergo regulatory impact assessment to establish if the proposed regulation does
(g) The procedure for filing complaints."
not add undue regulatory burden and cost to these agencies and the applicants or
requesting parties: Provided, That when necessary, any proposed regulation may
undergo pilot implementation to assess regulatory impact.
6. Explain “ZERO CONTACT POLICY”.
Upon effectivity of this Act, all LGUs and NGAs are directed to initiate review of
existing policies and operations and commence with the reengineering of their Sec. 7. Zero-Contact Policy. – Except during the preliminary assessment of the

systems and procedures in compliance with the provisions of this Act, pending the request and evaluation of sufficiency of submitted requirements, no government

approval of the implementing rules and regulations (IRR) thereof. officer or employee shall have any contact, in any manner, unless strictly
necessary with any applicant or requesting party concerning an application or
request. Once the Department of Information and Communications Technology
5. What are the contents of the “Citizen Charter”. (DICT) has completed a web-based software enabled business registration system
that is acceptable to the public as mandated under Section 26 of this Act, all
Sec. 6. Citizen’s Charter. – All government agencies including departments,
transactions shall be coursed through such system. All government agencies
bureaus, offices, instrumentalities, or government-owned and/or –controlled
including LGUs shall adopt a zero-contact policy.
corporations, or LGUs shall set up their respective most current and updated
service standards to be known as the Citizen’s Charter in the form of information
billboards which shall be posted at the main entrance of offices or at the most
conspicuous place, in their respective websites and in the form of published 7. Make a process flow of RULE VII “Accessing Government Services”.

materials written either in English, Filipino, or in the local dialect, that detail:
Sec. 9. Accessing Government Services. – The following shall adopted by all

(a) A comprehensive and uniform checklist of requirements for each type of government offices and agencies:

application or request;
(a) Acceptance of Applications or Requests. – (1) All officers or employees shall

(b) The procedure to obtain a particular service; accept written applications, requests, and/or documents being submitted by
applicants or requesting parties of the offices or agencies.
(c) The person/s responsible for each step;
(2) The receiving officer or employee shall perform a preliminary assessment of
(d) The maximum time to conclude the process; the application or request submitted with its supporting documents to ensure a
more expeditious action on the application or request. The receiving officer or
(e) The document/s to be presented by the applicant or requesting party, if
employee shall immediately inform the applicant or requesting party of any
necessary;
15
deficiency in the accompanying requirements, which shall be limited to those If the application or request for license, clearance permit, certification or
enumerated in the Citizen’s Charter. authorization shall require the approval of the local Sangguniang Bayan,
Sangguniang Panlungsod, or the Sangguniang Panlalawigan as the case may be,
(3) The receiving officer or employee shall assign a unique identification number to
the Sanggunian concerned shall be given a period of forty-five (45) working days
an application or request, which shall be the identifying number for all subsequent
to act on the application or request, which can be extended for another twenty (20)
transactions between the government and the applicant or requesting party
working days. If the local Sanggunian concerned has denied the application or
regarding such specific application or request.
request, the reason for the denial, as well as the remedial measures that may be

(4) The receiving officer or employee shall issue an acknowledgement receipt taken by the applicant shall be cited by the concerned Sanggunian.
containing the seal of the agency, the name of the responsible officer or employee,
In cases where the cause of delay is due to force majeure or natural or man-made
his/her unit and designation, and the date and time of receipt of such application or
disasters, which result in damage or destruction of documents, and/or system
request.
failure of the computerized or automatic processing, the prescribed processing

(b) Action of Offices. – (1) All applications or requests submitted shall be acted times mandated in this Act shall be suspended and appropriate adjustments shall

upon by the assigned officer or employee within the prescribed processing time be made.

stated in the Citizen’s Charter which shall not be longer than three (3) working
(2) No application or request shall be returned to the applicant or requesting party
days in the case of simple transactions and seven (7) working days in the case of
without appropriate action. In case an application or request is disapproved, the
complex transactions from the date the request and/or complete application or
officer or employee who rendered the decision shall send a formal notice to the
request was received.
applicant or requesting party within the prescribed processing time, stating therein

For applications or requests involving activities which pose danger to public health, the reason for the disapproval. A finding by a competent authority of a violation of
public safety, public morals, public policy, and highly technical application, the any or other laws by the applicant or requesting party shall constitute a valid

prescribed processing time shall in no case be longer than twenty (20) working ground for the disapproval of the application or request, without prejudice to other
days or as determined by the government agency or instrumentality concerned, grounds provided in this Act or other pertinent laws.

whichever is shorter.
(c) Denial of Application or Request for Access to Government Service. – Any

The maximum time prescribed above may be extended only once for the same denial of application or request for access to government service shall be fully

number of days, which shall be indicated in the Citizen’s Charter. Prior to the lapse explained in writing, stating the name of the person making the denial and the

of the processing time, the office or agency concerned shall notify the applicant or grounds upon which such denial is based. Any denial of application or request is

requesting party in writing of the reason for the extension and final date of release deemed to have been made with the permission or clearance from the highest

of the government service/s requested. Such written notification shall be signed by authority having jurisdiction over the government office or agency concerned.

the applicant or requesting party to serve as proof of notice.

16
(d) Limitation of Signatories – The number of signatories in any document shall be 8. Explain the different Streamlined Procedures to be adopted by the LGU for
limited to a maximum of three (3) signatures which shall represent officers directly the issuance of local business licenses, clearances, permits, certifications or
supervising the office or agency concerned: Provided, That in case the authorized authorizations.
signatory is on official business or official leave, an alternate shall be designated
Sec. 11. Streamlined Procedures for the Issuance of Local Business Licenses,
as signatory. Electronic signatures or pre-signed license, clearance, permit,
Clearances, Permits, Certifications or Authorizations. – The LGUs are mandated to
certification or authorization with adequate security and control mechanisms may
implement the following revised guidelines in the issuance of business licenses,
be used.
clearances, permits, certifications or authorizations:
(e) Electronic Versions of Licenses, Clearances, Permits, Certifications or
(a) A single or unified business application form shall be used in processing new
Authorizations. – All government agencies covered under Section 3 of this Act
applications for business permits and business renewals which consolidates all the
shall, when applicable, develop electronic versions of licenses, clearances,
information of the applicant or requesting party by various local government
permits, certifications or authorizations with the same level of authority as that of
departments, such as, but not limited to, the local taxes and clearances, building
the signed hard copy, which may be printed by the applicants or requesting parties
clearance, sanitary permit, zoning clearance, and other specific LGU requirements,
in the convenience of their offices.
as the case may be, including the fire clearance from the Bureau of Fire Protection
(f) Adoption of Working Schedules to Serve Applicants or Requesting Parties. – (BFP). The unified form shall be made available online using technology-neutral
Heads of offices and agencies which render government services shall adopt platforms such as, but not limited to, the central business portal or the
appropriate working schedules to ensure that all applicants or requesting parties city/municipality’s website and various channels for dissemination. Hard copies of
who are within their premises prior to the end of official working hours are attended the unified forms shall likewise be made available at all times in designated areas
to and served even during lunch break and after regular working hours. of the concerned office and/or agency.

(g) Identification Card. – All employees transacting with the public shall be (b) A one-stop business facilitation service, hereinafter referred to as the business
provided with an official identification card which shall be visibly worn during office one stop shop, (BOSS) for the city/municipality’s business permitting and licensing
hours. system to receive and process manual and/or electronic submission of application
for license, clearance, permit, certification or authorization shall be established
(h) Establishment of Public Assistance/Complaints Desk. – Each office or agency
within the cities/municipalities’ Negosyo Center as provided for under Republic Act
shall establish a public assistance/complaints desk in all their offices.
No. 10644, otherwise known as the "Go Negosyo Act." There shall be a queuing
mechanism in the BOSS to better manage the flow of applications among the
LGUs’ departments receiving and processing applications. LGUs shall implement
collocation of the offices of the treasury, business permits and licensing office,
zoning office, including the BFP, and other relevant city/municipality
17
offices/departments, among others, engaged in starting a business, dealing with
construction permits.
9. What are the punishable acts under the law?
(c) Cities/Municipalities are mandated to automate their business permitting and
Sec. 21. Violations and Persons Liable. – Any person who performs or
licensing system or set up an electronic BOSS within a period of three (3) years
cause the performance of the following acts shall be liable:
upon the effectiveness of this Act for a more efficient business registration
processes. Cities/Municipalities with electronic BOSS shall develop electronic (a) Refusal to accept application or request with complete requirements
versions of licenses, clearances, permits, certifications or authorizations with the being submitted by an applicant or requesting party without due cause;
same level of authority, which may be printed by businesses in the convenience of
their offices. The DICT shall make available to LGUs the software for the (b) Imposition of additional requirements other than those listed in the
computerization of the business permit and licensing system. The DICT, DTI, and Citizen’s Charter;
DILG, shall provide technical assistance in the planning and implementation of a
(c) Imposition of additional costs not reflected in the Citizen’s Charter;
computerized or software-enabled business permitting and licensing system.
(d) Failure to give the applicant or requesting party a written notice on the
(d) To lessen the transaction requirements, other local clearances such as, but not
disapproval of an application or request;
limited to, sanitary permits, environmental and agricultural clearances shall be
issued together with the business permit. (e) Failure to render government services within the prescribed processing
time on any application or request without due cause;
(e) Business permits shall be valid for a period of one (1) year. The
city/municipality may have the option to renew business permits within the first (f) Failure to attend to applicants or requesting parties who are within the
month of the year or on the anniversary date of the issuance of the business premises of the office or agency concerned prior to the end of official
permit. working hours and during lunch break;

(f) Barangay clearances and permits related to doing business shall be applied, (g) Failure or refusal to issue official receipts; and
issued, and collected at the city/municipality in accordance with the prescribed
processing time of this Act: Provided, That the share in the collections shall be (h) Fixing and/or collusion with fixers in consideration of economic and/or

remitted to the respective barangays. other gain or advantage."

The pertinent provisions of Republic Act No. 7160, otherwise known as "The Local Sec. 22. Penalties and Liabilities. – Any violations of the preceding actions

Government Code of 1991", specifically Article IV, Section 152(c) is hereby will warrant the following penalties and liabilities.1âwphi1

amended accordingly."

18
(a) First Offense: Administrative liability with six (6) months suspension: solicit favor in cash or in kind. In such cases, the pertinent provisions of the
Provided, however, That in the case of fixing and/or collusion with fixers Revised Penal Code and other special laws shall apply."
under Section 21(h), the penalty and liability under Section 22(b) of this Act
Sec. 23. Civil and Criminal Liability, Not Barred.- The finding of administrative
shall apply.
liability under this Act shall not be a bar to the filing of criminal, civil or other related
(b) Second Offense: Administrative liability and criminal liability of dismissal charges under existing laws arising from the same act or omission as herein
from the service, perpetual disqualification from holding public office and enumerated.
forfeiture of retirement benefits and imprisonment of one (1) year to six (6)
Sec. 24. Administrative Jurisdiction. – The administrative jurisdiction on any
years with a fine of not less than Five hundred thousand pesos
violation of the provisions of this Act shall be vested in either the CSC, or the
(P500,000.00), but not more than Two million pesos (P2,000,000.00).
Office of the Ombudsman as determined by appropriate laws and issuances.
Criminal liability shall also be incurred through the commission of bribery,
extortion, or when the violation was done deliberately and maliciously to

19