On January 1, 2016, Senate Bill 272 went into effect, expanding certain agencies' obligations under the California Public Records Act.
SB 272 expands the scope of the CPRA to require local agencies, except a "local educational agency," essentially to make an inventory and, based on this inventory, create a catalog of its data management systems, hardware, and software applications, which collectively are labeled "enterprise systems." The agency must then post a catalogue of enterprise systems on the agency's website. The purpose of SB 272 is to make an agency's data management practices more transparent.
SB 272 defines an "enterprise system" as a "software application or computer system that collects, stores, exchanges and analyzes information that the agency uses" that is (1) a multidepartment system or a system that contains information collected about the public and (2) a system of record. A system of record is in turn defined as a system that serves as an original source of data within an agency. In other words, SB 272 requires a local agency to create a catalogue of data systems used to collect, store, exchange or analyze information gathered from multiple departments or from the public and post the catalog on its agency website. Enterprise systems do not include cybersecurity systems, infrastructure and mechanical control systems, or physical access control systems such as video monitoring or employee ID systems.
Although SB 272 attempts to define "enterprise system," the bill in reality does not go far enough in providing examples of what types of systems are covered. In fact, the legislative analysis published prior to SB 272's enactment recognizes that the definitions in the law need to be fine-tuned. Unfortunately, the bill as enacted never addresses these deficiencies. As SB 272 is new, there are as of yet no court decisions defining the term. The legislative history of the bill, however, provides agencies with some insight.
The legislative history suggests that enterprise systems are a combination of hardware and software systems that an agency uses to collect, manage, store or analyze intra-agency and local data for business development and operations purposes, e.g. budget data or constituent data. This may include email systems, document management systems, systems used to store patient records or insurance records, financial data collected by various departments, etc.
Once an enterprise system is identified, its catalogue must be compiled and must include a list of the enterprise systems utilized by the agency and for each system, disclose:
- Current system vendor, e.g. The contractor from whom the product was purchased
- Current system product, e.g. Microsoft SQL
- A brief statement of the system's purpose, e.g. the system is used to store patient records
- A general description of categories or types of data.
- The department that serves as the system's primary custodian.
- How frequently system data is collected.
- How frequently system data is updated.
The catalogue must be posted on the agency's website by July 1, 2016. Disclosure is not required if the agency determines that not disclosing the information clearly outweighs the public interest serviced by the disclosure. Whether the exemption applies is a fact specific inquiry. SB 272's exemption language mirrors the language found in the "catch all" exemption to the CPRA in Government Code section 6255(a), which permits public agencies to decline to disclose certain documents if "on the facts of a particular case the public interest served by not disclosing the record clearly outweighs the public interest served by disclosure." Therefore, in determining what enterprise systems to disclose and post on an agency's website, an agency should employ the same standard it uses to assess whether disclosure of documents is mandated under other sections of the CPRA.
SB 272 provides that the bill does not apply to "local educational agencies." While the term "local education agency" generally refers only to K-12 districts in the Education Code, neither SB 272, the CPRA nor the Government Code defines the term. Absent a definition in the Code or further guidance, we interpret SB 272 not to adopt its use in the Education Code, and therefore, to exempt both elementary and secondary school districts and California Community College districts from its application.
The types of enterprises systems maintained by an agency will vary by agency and agency function. For these reasons, we recommend that the persons in charge of responding to CPRA requests contact the head of their information technology ("IT") department to determine what types of enterprise systems your agency maintains. Your IT Manager may have a better sense of the types of hardware and software systems your agency uses to collect, manage, store or analyze intra-agency and public data. Absent further guidance from the State or the courts, local agencies to which SB 272 applies should make educated guesses and make good faith efforts to comply with these new requirements under the CPRA. We will continue to monitor additional guidance on this bill and provide updates as we learn of them.