REVENUE MEMORANDUM CIRCULAR NO. 53-2022 issued on April 22, 2022 publishes the full text of the Data Sharing Agreement (DSA) between the Bureau of Internal Revenue (BIR) and the Philippine Statistics Authority (PSA).
The BIR shall undertake the following:
a. Request assistance from the PSA for the requested information, including, but not
limited to, the dates of birth and/or death of the person subject of the request and
address/es per record; the identities, addresses and the respective dates of birth and/or
death of his/her legal heirs; provided, That the BIR may obtain the requested
information only after sending a formal letter addressed to the National Statistician
and Civil Registrar General or his/her authorized representatives and signed by the
Commissioner of Internal Revenue or his/her duly authorized representatives
designated via a Revenue Delegation Authority Order (RDAO), either through a
registered mail or encrypted electronic mail (email); provided finally, that for this
purpose, the BIR shall not be granted online access to personal data under the custody
of the PSA;
b. Maintain strict confidentiality of all information provided by the PSA and only
disclose such information to the requesting foreign jurisdiction which, under existing
Double Taxation Agreement (DTA), is also bound by the same strict confidentiality
rule on the information received; and
c. Ensure the secure process of transmission of data or information to the requesting
foreign jurisdiction.
The PSA shall undertake the following:
a. Organize a special team that should handle all requests for Exchange of Information
(EOI) and apprise the members thereof of their obligation to maintain confidentiality
of all information connected thereto;
b. Designate the personnel who shall act as the head of the team and who shall supervise
the handling of all EOI requests;
c. Provide the requested information or any alternative relevant information within
fifteen (15) working days from receipt thereof via a registered mail or an encrypted
email, and in the event the requested information is not immediately available, the
PSA shall request for an extension not exceeding fifteen (15) working days; and
d. Issue a Certification duly signed by the National Statistician and Civil Registrar
General or any authorized representative in case the requested information cannot be
obtained after exerting all efforts to locate it, stating such fact and the reason/s for
failure to provide such information.
The BIR and PSA shall undertake the following:
a. Form or organize a Committee/Technical Working Group (TWG) to effect,
implement and enhance the provisions of the Data Sharing Agreement (DSA), when
necessary;
b. Continue to work through the established TWG in maintaining and enhancing the
system of tax information exchange and in the process, advance inter-agency
cooperation;
c. Take disciplinary action against their respective personnel who shall be found, after
thorough investigation, to have violated the guidelines set forth in the Agreement.
The data received by the BIR from the PSA shall be stored in a secure filing range inside the restricted EOI room of the International Tax Affairs Division (ITAD) of the BIR and shall be retained for a minimum of five (5) years from the effectivity of the DSA. On the other hand, all requests for information received by the PSA from the BIR shall be stored in secure storage facilities of the PSA and shall also be retained for a minimum of five (5) years from the effectivity
of the DSA.
The BIR shall strictly implement measures on the disposal of data in compliance with the National Privacy Commission (NPC) Circular 16-01, Rule V, Sections 30 to 32 on Disposal of Personal Data. Data disposal shall be guided by the disposal procedures per Revenue Memorandum Order (RMO) No. 1-2020 or the Data Privacy Manual for Bureau of Internal Revenue. The PSA, on the other hand, shall be guided by the disposal procedures per Data Privacy Manual.
The BIR shall strictly comply with all security policies and measures as defined in various existing revenue issuances such as RMO No. 50-2004, RMO No. 3-2014, RMO No. 12-2014 and RMO No. 15-2014. Conversely, the PSA shall strictly comply with its Data Privacy Manual. The Parties warrant to treat all information shared by them pursuant to the DSA with utmost confidentiality, in accordance with the Data Privacy Act, its Implementing Rules and Regulations (IRR), and other issuances of the NPC, the confidentiality rules of the EOI provision of the DTAs, as well as the Terms of Reference related to Exchange of Information on Request (EOIR), as approved by the Global Forum, and shall not, at any time, be disclosed or caused to be disclosed to any third party other than the requesting foreign jurisdiction or to the taxpayer subject of the EOI request without the prior written consent of the other Party.
The Parties further warrant to use all information received from each other only for the purposes set forth in the DSA and shall not copy, in whole or in part, such information without the other Party’s prior written consent. Finally, the Parties shall return or destroy all information received from the other Party upon termination of the DSA or immediately after the lapse of the
minimum retention period prescribed in the Agreement, whichever is later.
In case of violation of the rights of the data subject as specified in the Data Privacy Law and its IRR, he/she may file a complaint together with copies of any evidence and affidavit/s of witness/es before the concerned Data Protection Officer/s (DPO) of each Party.
Any complaint filed by the data subject shall be resolved by the respective DPOs of the concerned Party in accordance with its Data Privacy Manual, the Data Privacy Law and its IRR. The DPOs of the BIR and PSA are attached in the Agreement as Annex 2. Changes in the DPOs shall be communicated in writing by the concerned party to the other party and such communication shall form part an integral part of the DSA.
The Parties shall be held free from liability arising from the exercise of their rights and obligations under the DSA except when such liability is attributable to the gross negligence or willful misconduct of any Party or any of its officers/ representatives or employees.
The DSA may be accessed by the concerned data subjects in accordance with the process specified in Section 9 of Executive Order No. 2 (Freedom of Information or FOI). The request for information shall be addressed to the concerned DPOs. For the BIR, the request for
information shall be processed pursuant to the revised FOI Manual of BIR, as circularized in Revenue Memorandum Circular No. 128-2019 dated November 29, 2019. For the PSA, the request for information shall be processed pursuant to its FOI Manual dated November 2016.
In case of security breach involving personal data of data subjects within its network, operating systems, software applications, data storage systems, media channels or its office policies and procedures, the concerned Party shall implement the framework for data breach management and the procedure for personal data breach notification and other requirements as
provided for in the Data Privacy Act, its IRR and other issuances of the NPC, specifically NPC
Circular No. 16-03 on Personal Data Breach Management dated December 15, 2016. If any Party suspects or becomes aware of any security breach involving personal data of data subjects within its network, operating systems, software applications, data storage systems, media channels or office policies and procedures, the Party shall immediately notify the other in writing from the occurrence or discovery of the breach and shall fully cooperate to prevent or stop the personal data breach.
Immediately following the Party’s notification to the other of a personal data breach, the Parties shall coordinate with each other to investigate the said breach. Each Party agrees to fully cooperate with the other to resolve and to prevent the recurrence of a similar breach. Each Party shall immediately resolve any personal data breach and prevent the recurrence thereof at the Party’s sole expense in accordance with the Data Privacy Act, its IRR and other issuances of the NPC.
The parties shall act and have duties and accountabilities of a Personal Information Controller for all personal data received from the other Party, which includes lawful, adequate, and secure processing of personal data. The parties shall fully cooperate with any investigation conducted by the NPC in accordance with its policies and procedure, through its designated DPOs.
The DSA shall take effect immediately and shall remain in full force and effect for a period of five (5) years, subject to renewal or extension at the instance of either Party, which, in no case, shall exceed a period of five (5) years. It may, however, be terminated:
a. upon the expiration of its term, or any valid extension thereof;
b. upon the agreement by all parties;
c. upon a breach of its provisions by any of the parties; or
d. where there is disagreement, upon a finding by the NPC that its continued operation
is no longer necessary, or is contrary to public interest or public policy.
Notwithstanding the foregoing grounds, either Party may terminate the DSA at any time
by giving written notice to the other Party thirty (30) days prior to the effectivity of the termination.
The Parties shall endeavor to resolve any disagreement arising from or in connection with this DSA, in an amicable manner by direct informal negotiation. If the Parties are not able to resolve the dispute after thirty (30) days from commencement of the informal negotiations, the dispute shall be settled in accordance with the Rules on Alternative Dispute Resolution (ADR) for Disputes Between National Government Agencies before the Office of the Solicitor General (OSG).
Any amendment and supplement to the DSA shall be made in writing and mutually agreed
upon by the Parties.