BILL ANALYSIS Ó SB 272 Page 1 Date of Hearing: July 15, 2015 ASSEMBLY COMMITTEE ON LOCAL GOVERNMENT Brian Maienschein, Chair SB 272 (Hertzberg) - As Amended July 6, 2015 SENATE VOTE: 37-0 SUBJECT: The California Public Records Act: local agencies: inventory. SUMMARY: Requires local agencies, by July 1, 2016, to create a catalog of their enterprise systems, make the catalog publicly available, and post the catalog on their Internet Web sites. Specifically, this bill: 1)Requires each local agency, except a local educational agency, in implementing the California Public Records Act (CPRA), to create a catalog of enterprise systems. 2)Requires the catalog to be made publicly available upon request in the office of the person or officer designated by the agency's legislative body, and to be posted in a prominent location on the local agency's Internet Web site (website), if the agency has a website. SB 272 Page 2 3)Requires the catalog to disclose a list of the enterprise systems utilized by the agency and, for each system, to disclose all of the following: a) Current system vendor; b) Current system product; c) A brief statement of the system's purpose; d) A general description of categories or types of data; e) The department that serves as the system's primary custodian; f) How frequently system data is collected; and, g) How frequently system data is updated. 4)Provides that this bill shall not be interpreted to limit a person's right to inspect public records, pursuant to the CPRA. SB 272 Page 3 5)Provides the following definitions: a) "Enterprise system" means a software application or computer system that collects, stores, exchanges, and analyzes information that the agency uses that is both of the following: i) A multidepartmental system or a system that contains information collected about the public; and, ii) A system of record. b) "System of record" means a system that serves as an original source of data within an agency. 6)Provides that an enterprise system shall not include any of the following: a) Information technology security systems, including firewalls and other cybersecurity systems; b) Physical access control systems, employee identification management systems, video monitoring, and other physical SB 272 Page 4 control systems; c) Infrastructure and mechanical control systems, including those that control or manage street lights, or water or sewer functions; d) Systems that would be restricted from disclosure pursuant to existing law, as specified, which exempts from the CPRA the disclosure of information security records that would reveal vulnerabilities of an information technology system or increase the potential for cyber attacks, as specified; and, e) The specific records that the information technology system collects, stores, exchanges, or analyzes. 7)Provides that nothing in this bill shall be construed to permit public access to records held by an agency to which access is otherwise restricted by statute or to alter the process for requesting public records, as set forth in the CPRA. 8)Requires the local agency to complete and post the catalog required by this bill by July 1, 2016, and thereafter to update the catalog annually. 9)Makes a number of findings and declarations regarding new SB 272 Page 5 information technology, its use in government, California's role in "moving our nation forward in the world of technology," and the need to adopt standards to "ensure that data collection and publication are standardized, including uniform definitions for machine-readable data." 10)Finds and declares that Section 2 of the bill furthers, within the meaning of paragraph (7) of subdivision (b) of Section 3 of Article I of the California Constitution, the purposes of that constitutional section as it relates to the right of public access to the meetings of local public bodies or the writings of local public officials and local agencies and declares, pursuant to paragraph (7) of subdivision (b) of Section 3 of Article I of the California Constitution, that the Legislature makes the following findings: Because increased information about what data is collected by local agencies could be leveraged by the public to more efficiently access and better use that information, the act furthers the purpose of Section 3 of Article I of the California Constitution. 11)Provides that no reimbursement is required by this bill because the only costs that may be incurred by a local agency or school district under this act would result from a legislative mandate that is within the scope of paragraph (7) of subdivision (b) of Section 3 of Article I of the California Constitution. SB 272 Page 6 EXISTING LAW: 1)Requires public agencies, pursuant to the CPRA, to make their records available for public inspection and, upon request, to provide a copy of a public record, unless the record is exempt from disclosure. 2)Requires a public agency to make non-exempt electronic public records available in any electronic format in which it holds the information or, if requested, in an electronic format used by the agency to create copies for its own or another agency's use. 3)Authorizes a public agency to charge to the requester the direct cost of producing the electronic public record. 4)Requires the requester of the electronic record to bear the cost of producing a copy of the record, including the cost to construct a record, and the cost of programming and computer services necessary to produce a copy of the record if the public agency produces the electronic record only at regularly scheduled intervals or the request requires data compilation, extraction, or programming to produce the record. 5)Provides that a public agency is not required to release an electronic record in the electronic form in which it is held by the agency, if its release would jeopardize or compromise the security or integrity of the original record or of any proprietary software in which it is maintained. 6)Provides that nothing in the CPRA shall be construed to require the disclosure of an information security record of a public agency, if, on the facts of the particular case, disclosure of that record would reveal vulnerabilities to, or otherwise increase the potential for an attack on, an information technology system of a public agency. FISCAL EFFECT: According to the Senate Appropriations SB 272 Page 7 Committee: 1)Unknown, likely significant costs to local agencies to compile information on enterprise systems that contain data collected about the public, post the catalog on agency websites, and make it available to the public (Local funds). These costs are not anticipated to be reimbursable from the state General Fund. See staff comments. 2)Potential costs in the low tens of thousands to the Commission on State Mandates (COSM). To the extent an affected local agency files a test claim for reimbursement of mandated costs, Commission legal staff would prepare a full analysis of the legal and factual issues raised for purposes of a determination by the COSM. COMMENTS: 1)Bill Summary. This bill requires each local agency, in implementing the CPRA, to create a catalog of its enterprise systems, make that catalog publicly available in the office of the person or officer designated by the agency's legislative body, and post that catalog in a prominent location in the local agency's website, if it has one. The bill defines "enterprise system" to mean a software application or computer system that collects, stores, exchanges, and analyzes information that the agency uses that is both of the following: a multidepartmental system or a system that contains information collected about the public; and, a system of record. "System of record" means a system that serves as an original source of data within an agency. For each enterprise system, the local agency must disclose all SB 272 Page 8 of the following: a) Current system vendor; b) Current system product; c) A brief statement of the system's purpose; d) A general description of categories or types of data; e) The department that serves as the system's primary custodian; f) How frequently system data is collected; and, g) How frequently system data is updated. The bill exempts the following from its requirements: SB 272 Page 9 a) Information technology security systems, including firewalls and other cybersecurity systems; b) Physical access control systems, employee identification management systems, video monitoring, and other physical control systems; c) Infrastructure and mechanical control systems, including those that control or manage street lights, or water or sewer functions; d) Systems that would be restricted from disclosure pursuant to existing law, as specified, which exempts from the CPRA the disclosure of information security records that would reveal vulnerabilities of an information technology system or increase the potential for cyber attacks, as specified; and, e) The specific records that the information technology system collects, stores, exchanges, or analyzes. Each local agency must complete and post the catalog by July 1, 2016, and update the catalog annually thereafter. This bill is sponsored by the author. SB 272 Page 10 2)Author's Statement. According to the author, "Local government agencies throughout California possess a potentially powerful tool for improving the lives of Californians: data. In too many cases, however, local agencies - and the constituents they serve - do not know what data they have collected or how to access it. SB 272 will identify what information is being kept by local agencies, how it is maintained, and who is responsible. Publishing a catalog of this information will reveal how accessible and usable the information is for public review and analysis, and immediately empower Californians to utilize this information. "There are thousands of local public agencies that collect information on critical government programs and services. The data include building permits and public parks to potholes and public transportation. Harnessing the power of this locally generated data could help spur economic growth, tackle major infrastructure issues and set millions of Californians on a path toward upward mobility. Properly gathered and clearly understood data would also help empower state and local agencies to collaborate more effectively and improve service delivery." 3)Background. The CPRA, enacted in 1968, requires public disclosure of public agency documents. The CPRA gives every person the right to inspect and obtain copies of all state and local government documents not exempt from disclosure. Recognizing that public agencies were increasingly relying on electronic documents, the Legislature approved AB 2799 (Shelley), Chapter 982, Statutes of 2000. Among other things, AB 2799 required public agencies, upon request, to SB 272 Page 11 disclose electronic records in an electronic format in which the agency held information, or in a format that had been used by the agency to create copies for its own use or for use by other public agencies. Since that time, the Open Data movement has been rapidly growing in popularity and recognition, both nationally and in California. Computer technology has advanced to provide open format software, which allows electronic documents created and maintained by public agencies to be searched, indexed, and redacted electronically. In 2009, in order to increase government agency accountability, promote informed public participation, and create economic opportunity through expanding access to information online in open formats, the United States Director of the Office of Management and Budget issued an Open Government Directive to federal government agencies. This Directive provided guidelines to public agencies responding to public requests under the Freedom of Information Act and instructed federal government agencies to "publish information online in an open format that can be retrieved, downloaded, indexed, and searched by commonly used web search applications." In 2013, President Obama signed Executive Order No. 13642, which established the Open Data Policy and required all newly generated government data to be made available in open, machine-readable formats in order to "promote continued job SB 272 Page 12 growth, Government efficiency, and the social good that can be gained from opening Government data to the public." 4)California Open Data Portals. The California Health and Human Services Agency (CHHS) launched an Open Data Portal (portal) initiative in order to increase public access to one of the state's most valuable assets - non-confidential health and human services data. According to the CHHS portal, "Its goals are to spark innovation, promote research and economic opportunities, engage public participation in government, increase transparency, and inform decision-making. 'Open Data' describes data that are freely available, machine-readable, and formatted according to national technical standards to facilitate visibility and reuse of published data. "The portal offers access to standardized data that can be easily retrieved, combined, downloaded, sorted, searched, analyzed, redistributed and re-used by individuals, business, researchers, journalists, developers, and government to process, trend, and innovate. (It) puts tools for transparency, accountability, and innovation directly into the hands of Californians and others through a centralized, user-friendly interface. (The portal) provides users with a single point of entry to access CHHS departments' publishable data. This increased visibility provides derivative value as the public is able to analyze and utilize publicly available (publishable) government data to better understand what is happening in government on all levels - federal, state, and local." The CHHS also developed an Open Data Handbook (handbook), SB 272 Page 13 which provides guidelines to identify, review, prioritize and prepare publishable CHHS data for access by the public via the CHHS portal. The handbook is intended to serve both as an internal and external resource to any party that may be interested in improving the general public's online access to data, and to provide an understanding of the processes by which CHHS makes its publishable data tables available. The handbook "focuses on general guidelines and thoughtful processes but also provides linked tools/resources that operationalize those processes." The State Controller also has an open data website, which contains financial and statistical information for cities and counties around the state, allowing visitors to track spending, revenues, assets, and liabilities. The Controller's website contains more than 13 million fields of data for counties and cities over an eleven-year period, from 2002-2013. 5)Open Data and Cities. The National League of Cities in 2014 issued a report entitled, "City Open Data Policies: Learning by Doing." According to the report, "The White House launched its Open Government Initiative in 2013, including its Data.gov website, thus beginning the process of making government data more readily available. In the wake of this federal initiative, in partnership with communities, private companies, advocates, and the technology sector, cities have begun to innovatively pursue open data. SB 272 Page 14 "As the primary providers of government services, cities collect and hold massive amounts of data about crimes, waste management, transportation, education, housing, consumption, and more. Until recently, much of the inherent potential in this data has been untapped. By making city data freely accessible, governments have not only improved their transparency, but have begun to use open data as a means to improve services and gather more information about communities?(However), open data is still a new concept to governments and practice models for implementation and design are lacking." Several local jurisdictions in California have launched their own Open Data websites or portals. For example, the City of Los Angeles has a searchable website with information on the economy, public safety, environment, city services, city budget, events and culture, parks and libraries, and transportation. About three months after the launch of Los Angeles' open data site, the city appointed its first Chief of Data officer. As another example, AmLegal Decoder was deployed in San Francisco after the Mayor's Office of Civic Innovation, The OpenGov Foundation and American Legal Publishing Corp. teamed up to transform and publish the city's laws and legal and technical codes at SanFranciscoCode.org. AmLegal Decoder is open-source software that automatically updates SanFranciscoCode.org and delivers every newly codified city law accessible online for city employees, everyday citizens and anyone else who might need them. SB 272 Page 15 In addition, the City of Long Beach has its own open data site, OpenUpLongBeach.com. Long Beach and Fresno have hosted open data events as well. The Open Knowledge Foundation also lists Sacramento, San Jose, Oakland, West Hollywood, Pasadena, Culver City, Santa Clarita, Bell, Manhattan Beach, San Diego, Burbank, Compton, and other California cities in its U.S. Cities Open Data Census. 6)Proposition 42. Proposition 42 was passed by voters on June 3, 2014, and requires all local governments to comply with the CPRA and the Ralph M. Brown Act (Brown Act) and with any subsequent changes to those Acts. Proposition 42 also eliminated reimbursements to local agencies for costs of complying with the CPRA and the Brown Act. This bill contains language that says that the Legislature finds and declares that Section 2 of the bill furthers the purpose of the California Constitution as it relates to the right of public access to the meetings of local public bodies or the writings of local public officials and local agencies. Pursuant to paragraph (7) of subdivision (b) of Section 3 of Article I of the Constitution, the bill also includes a finding that says that " Because increased information about what data is collected by local agencies could be leveraged by the public to more efficiently access and better use that information, the act furthers the purpose of Section 3 of Article I of the California Constitution." SB 272 Page 16 Section 4 of the bill specifies that no reimbursement for local agencies to implement the bill's provisions is necessary because "the only costs that may be incurred by a local agency or school district?would result from a legislative mandate that is within the scope of paragraph (7) of subdivision (b) of Section 3 of Article I of the California Constitution." 7)Related Legislation. AB 169 (Maienschein) establishes open format requirements for posting a public record if a local agency maintains an "open data" Internet Resource, as specified, and voluntarily posts the public record. AB 169 is pending in the Senate Appropriations Committee. AB 1215 (Ting) creates the California Open Data Act and the position of Chief Data Officer, who is required to establish the California Open Data Standard (standard), as specified; requires state agencies to make public data, as defined, available on an Internet Web portal pursuant to that standard; and, allows a local government to adopt that standard. AB 1215 was held in the Assembly Appropriations Committee. SB 573 (Pan) requires the Governor to appoint a Chief Data Officer, who is required to create a statewide open data portal, as defined, to provide public access to public data held by state agencies. SB 573 is pending in the Assembly SB 272 Page 17 Appropriations Committee. 8)Previous Legislation. SB 1002 (Yee) of 2012 would have required the State Chief Information Officer to conduct a study to determine the feasibility of providing electronic records in an open format. SB 1002 was vetoed with the following message: The role of the State Chief Information Officer is to make sure that state government uses information technology efficiently and effectively - including providing public records electronically when possible. Another legislative report on electronic public records isn't necessary. AB 2799 (Shelley), Chapter 982, Statutes of 2000, required public agencies, upon request, to disclose electronic records in an electronic format in which the agency held information or in a format that had been used by the agency to create copies for its own use or for other public agencies. 9)Arguments in Support. The Sunlight Foundation, in support, writes, "(A)chieving better public knowledge of the data that governments hold is at the very core of achieving open government in the 21st century. The Sunlight Foundation routinely emphasizes that open data means more than just SB 272 Page 18 accessing data the government has already chosen to publish - it also means knowing what information the government is aware it holds, what data the government isn't releasing, and how the government is prioritizing publication of its data assets. Through SB 272, California will increase public awareness of what datasets are held by local governments and take a critical step toward unlocking the power of local data across the state." 10)Arguments in Opposition. A coalition, including the California Association of Joint Powers Authorities, the California Police Chiefs Association, the California Special Districts Association, the California State Association of Counties, the California State Sheriffs' Association, the County Recorders Association of California, the League of California Cities, the Municipal Information Systems Association of California,, the Rural County Representatives of California, and the Urban Counties Caucus, who have an oppose, unless amended, position, writes: "Our associations raised concerns about the serious cyber security risks that SB 272 presents by requiring the vendor name and product to be listed. Local agencies utilize electronic systems to manage information related to health and public safety services, utilities, and public works. There has been increased awareness of cyber security issues in recent years due to an increased number of system breaches and hacking threats. As currently written, SB 272 would comprise the security of our systems jeopardizing the sensitive information within. We continue to require that instead of listing the product name, allow for a title or other identifier to be used. Regarding the vendor name, we are asking for an amendment to make it clear that it would be SB 272 Page 19 up to the information technology experts to make a determination under the exemption currently provided in the bill for cyber security. This would allow for the system to be referenced in a way that is not overly specific as to jeopardize security. "The recent amendments to this bill have removed the previous Information Technology Systems definition and replaced (it) with language in previous versions which defines enterprise system for purposes of the catalog. These new amendments remove problematic language for local governments and provide some of the exemptions that we have requested. However there are two exemptions that we have requested that are not yet reflected in the July 6th version: 911 and emergency communications systems, and natural gas and electricity systems. "In summary, we are requesting the following amendments to the July 6th version of SB 272: SB 272 Page 20 Specifically list vendor in (Government Code Section) 6254.19 to allow information technology experts to decide as to whether it is a security risk. Include 911 and emergency services as well as natural gas and electricity to the list of exemptions." 11)Double-Referral. This bill was heard by the Judiciary Committee on June 30, 2015, where it passed with a 10-vote. REGISTERED SUPPORT / OPPOSITION: Support American Civil Liberties Union of California American Federation of State, County and Municipal Employees, AFL-CIO Associated Builders and Contractors of California Building Owners and Managers Association of California California Asian Pacific Chamber of Commerce California Broadcasters Association SB 272 Page 21 California Business Properties Association California Business Roundtable California Forward Action Fund California League of Food Processors California Manufacturers & Technology Association California Professional Firefighters California Retailers Association Commercial Real Estate Development Association Family Business Association Firearms Policy Coalition International Council of Shopping Centers Los Angeles County Business Federation National Federation of Independent Businesses SB 272 Page 22 San Diego Regional Data Library San Francisco Technology Democrats Sunlight Foundation Urban Strategies Council Concerns City of Roseville Opposition California Association of Joint Powers Authorities (unless amended) California Municipal Utilities Association California Police Chiefs Association (unless amended) Opposition (continued) SB 272 Page 23 California Special Districts Association (unless amended) California State Association of Counties (unless amended) California State Sheriffs' Association (unless amended) Cites of Camarillo and Diamond Bar County Recorders Association of California (unless amended) Desert Water Agency El Dorado Irrigation District League of California Cities (unless amended) Municipal Information Systems Association of California (unless amended) Rowland Water District Rural County Representatives of California (unless amended) Urban Counties Caucus (unless amended) SB 272 Page 24 Analysis Prepared by:Angela Mapp / L. GOV. / (916) 319-3958