Taxpayers’ privacy compromised by BIR with the use of eBIRForms?

The Bureau of Internal Revenue (BIR) issued various revenue regulations and revenue memorandum circulars, implementing and clarifying various issues about the eBIRForms. They even required all “covered” taxpayers to register and start filing online. That’s not surprising.

What’s surprising is, when you registered, you entered personal information that you expect BIR to protect. Privacy is one of the main concerns in an online world, and by providing your personal information to them, you expect them to protect your privacy and will not use your personal information for other purposes without your consent.

But wait, does BIR even have privacy policy with regards to the use of their eBIRForm package and system?

eBIRForms Privacy Provisions

Looking at the eBIRForms Terms of Service Agreement, under the ‘Security Obligation’ section, you would notice these various provisions related to privacy:

  • [Taxpayer] You undertake to use the Service in a manner that protects your privacy and the data/information you provide.
  • [Accredited Tax Agent] You undertake to use the Service in a manner that protects your privacy and the privacy of the taxpayer you are duly authorized to represent and the data/information you provide.
  • [Software Provider] You undertake to use the Service in a manner that protects your privacy and the privacy of any other person/taxpayer and the data/information you provide.
  • As part of the enrollment process, you will be provided with an account username and password. You agree not to disclose your account password to anyone and you are fully responsible for all activities that occur under your account username.

Looking at all of bullet points, you would notice that part of the terms and conditions of use of the eBIRForms is that, taxpayers and other users agrees to use it in a manner that protects privacy. I am confident that users would not want to expose themselves to privacy issues in their own action.

But the question is, how about the BIR, how are they ensuring that the users’ privacy are protected?

No Warranties on User Privacy

BIR, being the biggest revenue generating arm (not the mention the most controversial) of the Philippine government, should make compliance for taxpayers not only easy but secured as well. Aside from the issues that its IT infrastructures are not able to support the needs of the users (e.g. multiple instances of system downtime, presence of bugs, etc.), considering the volume, privacy issues also persist, and without the knowledge of users, until some curious netizens brought it up in the social media.

If you are going to read the eBIRForms Terms of Service Agreement, under Disclaimer section, you will read the following texts, which I believe should not be there in the first place.

The BIR is providing the eBIRForms website as an alternative mode of filing tax returns. The content of the website is provided in an “as is basis” and without any express or implied warranties.

The BIR does not warrant that the Service will be uninterrupted; be free from inaccuracies, errors, viruses or other harmful components; operate in the configuration or with the hardware or software you use.

The BIR is not liable or responsible for any damages, expenses, costs or loss of any kind (including, but not limited to, any direct, indirect, special, incidental, or consequential damages, financial losses, loss of profits, loss of any data or loss of any opportunity) caused as a result (directly or indirectly) of, or in connection with, your use of the Service (including the downloads and/or use of the online and offline services) or reliance on any information, materials, tools, online or offline services provided in or available from this site.

Aside from the fact that there is no provision in the eBIRForms Terms of Service Agreement about how BIR will protect the taxpayers/users’ privacy, it disclaims responsibility over reliability and accuracy of the system. Although not explicit, such statement also implies that they don’t warrant protection of the users’ privacy. Wow! Eh di wow!

Sound Practices and Internal Controls

If BIR is a third party vendor and wishes to attract a company to use their service, they would have been representing that their system is at least reliable and secure. Imagine entrusting your personal and financial information with a third party whose system isn’t reliable and secure, will you risk it?

But BIR is the exact opposite. They are forcing all “covered” taxpayers to use the system without guarantee that the system can be relied upon and will protect users’ privacy.  And they have the guts to enforce penalty on non-compliance due to the system failure?

I wonder if BIR even compared their processes with the sound practices and even assessed internal controls before implementing the changes. Just like any organization, the lack or inadequacy of internal control often result to unfavorable results, especially when dealing with sensitive information.  That is why they now resort to suspending e-mail as an alternative way to submit tax returns.

Aside from all of these, I strongly feel that inside BIR, there are a lot more problems created by the raw implementation of this system. They have a lot of data to clean up and it will make compliance monitoring more tedious. This is because even if they have the best programmers, they missed one of the most important aspect of it – controls.

Confirmed Breach of Privacy

And now, we have privacy breach.

I actually don’t know whether this is intentional and is really permitted by the BIR or unauthorized which, if so, is a clear indication that there is a lapse in control. 

Ever noticed an e-mail received from IPG Training Institute in the e-mail account used to register in the eBIRForms system? It may look like a normal unsolicited e-mail, until you realize that you are receiving this e-mail only because you enrolled with the eBIRForms. Here’s an example (grabbed from Facebook):

Should you be pleased that you are receiving training invitations that you might need? Well, yes, if you don’t know that someone is using your personal information for their own personal gain. In other words, your personal information has been exploited. And worst of all, someone from the BIR or someone who has access to the BIR system did the exploitation.

It is confirmed by various users that they received such e-mails even for the e-mail accounts that are created solely/exclusively for the purpose of filing returns with the BIR. They feel cheated.

So do you think it’s a big deal? Yes! This is a massive breach of privacy and it’s sad to think that one agencies of the government is involved.  Did you experienced receiving this e-mail as well?

We just hope that BIR will take necessary action to rectify this. God bless us all. 

Leave your Comment!