BILL ANALYSIS �Ó
SB 272
Page 1
Date of Hearing: July 15, 2015
ASSEMBLY COMMITTEE ON LOCAL GOVERNMENT
Brian Maienschein, Chair
SB
272 (Hertzberg) - As Amended July 6, 2015
SENATE VOTE: 37-0
SUBJECT: The California Public Records Act: local agencies:
inventory.
SUMMARY: Requires local agencies, by July 1, 2016, to create a
catalog of their enterprise systems, make the catalog publicly
available, and post the catalog on their Internet Web sites.
Specifically, this bill:
1)Requires each local agency, except a local educational agency,
in implementing the California Public Records Act (CPRA), to
create a catalog of enterprise systems.
2)Requires the catalog to be made publicly available upon
request in the office of the person or officer designated by
the agency's legislative body, and to be posted in a prominent
location on the local agency's Internet Web site (website), if
the agency has a website.
�
SB 272
Page 2
3)Requires the catalog to disclose a list of the enterprise
systems utilized by the agency and, for each system, to
disclose all of the following:
a) Current system vendor;
b) Current system product;
c) A brief statement of the system's purpose;
d) A general description of categories or types of data;
e) The department that serves as the system's primary
custodian;
f) How frequently system data is collected; and,
g) How frequently system data is updated.
4)Provides that this bill shall not be interpreted to limit a
person's right to inspect public records, pursuant to the
CPRA.
�
SB 272
Page 3
5)Provides the following definitions:
a) "Enterprise system" means a software application or
computer system that collects, stores, exchanges, and
analyzes information that the agency uses that is both of
the following:
i) A multidepartmental system or a system that contains
information collected about the public; and,
ii) A system of record.
b) "System of record" means a system that serves as an
original source of data within an agency.
6)Provides that an enterprise system shall not include any of
the following:
a) Information technology security systems, including
firewalls and other cybersecurity systems;
b) Physical access control systems, employee identification
management systems, video monitoring, and other physical
�
SB 272
Page 4
control systems;
c) Infrastructure and mechanical control systems, including
those that control or manage street lights, or water or
sewer functions;
d) Systems that would be restricted from disclosure
pursuant to existing law, as specified, which exempts from
the CPRA the disclosure of information security records
that would reveal vulnerabilities of an information
technology system or increase the potential for cyber
attacks, as specified; and,
e) The specific records that the information technology
system collects, stores, exchanges, or analyzes.
7)Provides that nothing in this bill shall be construed to
permit public access to records held by an agency to which
access is otherwise restricted by statute or to alter the
process for requesting public records, as set forth in the
CPRA.
8)Requires the local agency to complete and post the catalog
required by this bill by July 1, 2016, and thereafter to
update the catalog annually.
9)Makes a number of findings and declarations regarding new
�
SB 272
Page 5
information technology, its use in government, California's
role in "moving our nation forward in the world of
technology," and the need to adopt standards to "ensure that
data collection and publication are standardized, including
uniform definitions for machine-readable data."
10)Finds and declares that Section 2 of the bill furthers,
within the meaning of paragraph (7) of subdivision (b) of
Section 3 of Article I of the California Constitution, the
purposes of that constitutional section as it relates to the
right of public access to the meetings of local public bodies
or the writings of local public officials and local agencies
and declares, pursuant to paragraph (7) of subdivision (b) of
Section 3 of Article I of the California Constitution, that
the Legislature makes the following findings:
Because increased information about what data is collected by
local agencies could be leveraged by the public to more
efficiently access and better use that information, the act
furthers the purpose of Section 3 of Article I of the
California Constitution.
11)Provides that no reimbursement is required by this bill
because the only costs that may be incurred by a local agency
or school district under this act would result from a
legislative mandate that is within the scope of paragraph (7)
of subdivision (b) of Section 3 of Article I of the California
Constitution.
�
SB 272
Page 6
EXISTING LAW:
1)Requires public agencies, pursuant to the CPRA, to make their
records available for public inspection and, upon request, to
provide a copy of a public record, unless the record is exempt
from disclosure.
2)Requires a public agency to make non-exempt electronic public
records available in any electronic format in which it holds
the information or, if requested, in an electronic format used
by the agency to create copies for its own or another agency's
use.
3)Authorizes a public agency to charge to the requester the
direct cost of producing the electronic public record.
4)Requires the requester of the electronic record to bear the
cost of producing a copy of the record, including the cost to
construct a record, and the cost of programming and computer
services necessary to produce a copy of the record if the
public agency produces the electronic record only at regularly
scheduled intervals or the request requires data compilation,
extraction, or programming to produce the record.
5)Provides that a public agency is not required to release an
electronic record in the electronic form in which it is held
by the agency, if its release would jeopardize or compromise
the security or integrity of the original record or of any
proprietary software in which it is maintained.
6)Provides that nothing in the CPRA shall be construed to
require the disclosure of an information security record of a
public agency, if, on the facts of the particular case,
disclosure of that record would reveal vulnerabilities to, or
otherwise increase the potential for an attack on, an
information technology system of a public agency.
FISCAL EFFECT: According to the Senate Appropriations
�
SB 272
Page 7
Committee:
1)Unknown, likely significant costs to local agencies to compile
information on enterprise systems that contain data collected
about the public, post the catalog on agency websites, and
make it available to the public (Local funds). These costs
are not anticipated to be reimbursable from the state General
Fund. See staff comments.
2)Potential costs in the low tens of thousands to the Commission
on State Mandates (COSM). To the extent an affected local
agency files a test claim for reimbursement of mandated costs,
Commission legal staff would prepare a full analysis of the
legal and factual issues raised for purposes of a
determination by the COSM.
COMMENTS:
1)Bill Summary. This bill requires each local agency, in
implementing the CPRA, to create a catalog of its enterprise
systems, make that catalog publicly available in the office of
the person or officer designated by the agency's legislative
body, and post that catalog in a prominent location in the
local agency's website, if it has one. The bill defines
"enterprise system" to mean a software application or computer
system that collects, stores, exchanges, and analyzes
information that the agency uses that is both of the
following: a multidepartmental system or a system that
contains information collected about the public; and, a system
of record. "System of record" means a system that serves as
an original source of data within an agency.
For each enterprise system, the local agency must disclose all
�
SB 272
Page 8
of the following:
a) Current system vendor;
b) Current system product;
c) A brief statement of the system's purpose;
d) A general description of categories or types of data;
e) The department that serves as the system's primary
custodian;
f) How frequently system data is collected; and,
g) How frequently system data is updated.
The bill exempts the following from its requirements:
�
SB 272
Page 9
a) Information technology security systems, including
firewalls and other cybersecurity systems;
b) Physical access control systems, employee identification
management systems, video monitoring, and other physical
control systems;
c) Infrastructure and mechanical control systems, including
those that control or manage street lights, or water or
sewer functions;
d) Systems that would be restricted from disclosure
pursuant to existing law, as specified, which exempts from
the CPRA the disclosure of information security records
that would reveal vulnerabilities of an information
technology system or increase the potential for cyber
attacks, as specified; and,
e) The specific records that the information technology
system collects, stores, exchanges, or analyzes.
Each local agency must complete and post the catalog by July
1, 2016, and update the catalog annually thereafter. This
bill is sponsored by the author.
�
SB 272
Page 10
2)Author's Statement. According to the author, "Local
government agencies throughout California possess a
potentially powerful tool for improving the lives of
Californians: data. In too many cases, however, local
agencies - and the constituents they serve - do not know what
data they have collected or how to access it. SB 272 will
identify what information is being kept by local agencies, how
it is maintained, and who is responsible. Publishing a
catalog of this information will reveal how accessible and
usable the information is for public review and analysis, and
immediately empower Californians to utilize this information.
"There are thousands of local public agencies that collect
information on critical government programs and services. The
data include building permits and public parks to potholes and
public transportation. Harnessing the power of this locally
generated data could help spur economic growth, tackle major
infrastructure issues and set millions of Californians on a
path toward upward mobility. Properly gathered and clearly
understood data would also help empower state and local
agencies to collaborate more effectively and improve service
delivery."
3)Background. The CPRA, enacted in 1968, requires public
disclosure of public agency documents. The CPRA gives every
person the right to inspect and obtain copies of all state and
local government documents not exempt from disclosure.
Recognizing that public agencies were increasingly relying on
electronic documents, the Legislature approved
AB 2799 (Shelley), Chapter 982, Statutes of 2000. Among other
things, AB 2799 required public agencies, upon request, to
�
SB 272
Page 11
disclose electronic records in an electronic format in which
the agency held information, or in a format that had been used
by the agency to create copies for its own use or for use by
other public agencies.
Since that time, the Open Data movement has been rapidly
growing in popularity and recognition, both nationally and in
California. Computer technology has advanced to provide open
format software, which allows electronic documents created and
maintained by public agencies to be searched, indexed, and
redacted electronically.
In 2009, in order to increase government agency
accountability, promote informed public participation, and
create economic opportunity through expanding access to
information online in open formats, the United States Director
of the Office of Management and Budget issued an Open
Government Directive to federal government agencies. This
Directive provided guidelines to public agencies responding to
public requests under the Freedom of Information Act and
instructed federal government agencies to "publish information
online in an open format that can be retrieved, downloaded,
indexed, and searched by commonly used web search
applications."
In 2013, President Obama signed Executive Order No. 13642,
which established the Open Data Policy and required all newly
generated government data to be made available in open,
machine-readable formats in order to "promote continued job
�
SB 272
Page 12
growth, Government efficiency, and the social good that can be
gained from opening Government data to the public."
4)California Open Data Portals. The California Health and Human
Services Agency (CHHS) launched an Open Data Portal (portal)
initiative in order to increase public access to one of the
state's most valuable assets - non-confidential health and
human services data. According to the CHHS portal, "Its goals
are to spark innovation, promote research and economic
opportunities, engage public participation in government,
increase transparency, and inform decision-making. 'Open
Data' describes data that are freely available,
machine-readable, and formatted according to national
technical standards to facilitate visibility and reuse of
published data.
"The portal offers access to standardized data that can be
easily retrieved, combined, downloaded, sorted, searched,
analyzed, redistributed and re-used by individuals, business,
researchers, journalists, developers, and government to
process, trend, and innovate. (It) puts tools for
transparency, accountability, and innovation directly into the
hands of Californians and others through a centralized,
user-friendly interface. (The portal) provides users with a
single point of entry to access CHHS departments' publishable
data. This increased visibility provides derivative value as
the public is able to analyze and utilize publicly available
(publishable) government data to better understand what is
happening in government on all levels - federal, state, and
local."
The CHHS also developed an Open Data Handbook (handbook),
�
SB 272
Page 13
which provides guidelines to identify, review, prioritize and
prepare publishable CHHS data for access by the public via the
CHHS portal. The handbook is intended to serve both as an
internal and external resource to any party that may be
interested in improving the general public's online access to
data, and to provide an understanding of the processes by
which CHHS makes its publishable data tables available. The
handbook "focuses on general guidelines and thoughtful
processes but also provides linked tools/resources that
operationalize those processes."
The State Controller also has an open data website, which
contains financial and statistical information for cities and
counties around the state, allowing visitors to track
spending, revenues, assets, and liabilities. The Controller's
website contains more than 13 million fields of data for
counties and cities over an eleven-year period, from
2002-2013.
5)Open Data and Cities. The National League of Cities in 2014
issued a report entitled, "City Open Data Policies: Learning
by Doing." According to the report, "The White House launched
its Open Government Initiative in 2013, including its Data.gov
website, thus beginning the process of making government data
more readily available. In the wake of this federal
initiative, in partnership with communities, private
companies, advocates, and the technology sector, cities have
begun to innovatively pursue open data.
�
SB 272
Page 14
"As the primary providers of government services, cities
collect and hold massive amounts
of data about crimes, waste management, transportation,
education, housing, consumption, and more. Until recently,
much of the inherent potential in this data has been untapped.
By making city data freely accessible, governments have not
only improved their transparency, but have begun to use open
data as a means to improve services and gather more
information about communities?(However), open data is still a
new concept to governments and practice models for
implementation and design are lacking."
Several local jurisdictions in California have launched their
own Open Data websites or portals. For example, the City of
Los Angeles has a searchable website with information on the
economy, public safety, environment, city services, city
budget, events and culture, parks and libraries, and
transportation. About three months after the launch of Los
Angeles' open data site, the city appointed its first Chief of
Data officer.
As another example, AmLegal Decoder was deployed in San
Francisco after the Mayor's Office of Civic Innovation, The
OpenGov Foundation and American Legal Publishing Corp. teamed
up to transform and publish the city's laws and legal and
technical codes at SanFranciscoCode.org. AmLegal Decoder is
open-source software that automatically updates
SanFranciscoCode.org and delivers every newly codified city
law accessible online for city employees, everyday citizens
and anyone else who might need them.
�
SB 272
Page 15
In addition, the City of Long Beach has its own open data
site, OpenUpLongBeach.com. Long Beach and Fresno have hosted
open data events as well. The Open Knowledge Foundation also
lists Sacramento, San Jose, Oakland, West Hollywood, Pasadena,
Culver City, Santa Clarita, Bell, Manhattan Beach, San Diego,
Burbank, Compton, and other California cities in its U.S.
Cities Open Data Census.
6)Proposition 42. Proposition 42 was passed by voters on June
3, 2014, and requires all local governments to comply with the
CPRA and the Ralph M. Brown Act (Brown Act) and with any
subsequent changes to those Acts. Proposition 42 also
eliminated reimbursements to local agencies for costs of
complying with the CPRA and the Brown Act.
This bill contains language that says that the Legislature
finds and declares that Section 2 of the bill furthers the
purpose of the California Constitution as it relates to the
right of public access to the meetings of local public bodies
or the writings of local public officials and local agencies.
Pursuant to paragraph (7) of subdivision (b) of Section 3 of
Article I of the Constitution, the bill also includes a
finding that says that " Because increased information about
what data is collected by local agencies could be leveraged by
the public to more efficiently access and better use that
information, the act furthers the purpose of Section 3 of
Article I of the California Constitution."
�
SB 272
Page 16
Section 4 of the bill specifies that no reimbursement for
local agencies to implement the bill's provisions is necessary
because "the only costs that may be incurred by a local agency
or school district?would result from a legislative mandate
that is within the scope of paragraph (7) of subdivision (b)
of Section 3 of Article I of the California Constitution."
7)Related Legislation. AB 169 (Maienschein) establishes open
format requirements for posting a public record if a local
agency maintains an "open data" Internet Resource, as
specified, and voluntarily posts the public record. AB 169 is
pending in the Senate Appropriations Committee.
AB 1215 (Ting) creates the California Open Data Act and the
position of Chief Data Officer, who is required to establish
the California Open Data Standard (standard), as specified;
requires state agencies to make public data, as defined,
available on an Internet Web portal pursuant to that standard;
and, allows a local government to adopt that standard. AB
1215 was held in the Assembly Appropriations Committee.
SB 573 (Pan) requires the Governor to appoint a Chief Data
Officer, who is required to create a statewide open data
portal, as defined, to provide public access to public data
held by state agencies. SB 573 is pending in the Assembly
�
SB 272
Page 17
Appropriations Committee.
8)Previous Legislation. SB 1002 (Yee) of 2012 would have
required the State Chief Information Officer to conduct a
study to determine the feasibility of providing electronic
records in an open format. SB 1002 was vetoed with the
following message:
The role of the State Chief Information Officer is to make
sure that state government uses information technology
efficiently and effectively - including providing public
records electronically when possible. Another legislative
report on electronic public records isn't necessary.
AB 2799 (Shelley), Chapter 982, Statutes of 2000, required
public agencies, upon request, to disclose electronic records
in an electronic format in which the agency held information
or in a format that had been used by the agency to create
copies for its own use or for other public agencies.
9)Arguments in Support. The Sunlight Foundation, in support,
writes, "(A)chieving better public knowledge of the data that
governments hold is at the very core of achieving open
government in the 21st century. The Sunlight Foundation
routinely emphasizes that open data means more than just
�
SB 272
Page 18
accessing data the government has already chosen to publish -
it also means knowing what information the government is aware
it holds, what data the government isn't releasing, and how
the government is prioritizing publication of its data assets.
Through SB 272, California will increase public awareness of
what datasets are held by local governments and take a
critical step toward unlocking the power of local data across
the state."
10)Arguments in Opposition. A coalition, including the
California Association of Joint Powers Authorities, the
California Police Chiefs Association, the California Special
Districts Association, the California State Association of
Counties, the California State Sheriffs' Association, the
County Recorders Association of California, the League of
California Cities, the Municipal Information Systems
Association of California,, the Rural County Representatives
of California, and the Urban Counties Caucus, who have an
oppose, unless amended, position, writes:
"Our associations raised concerns about the serious cyber
security risks that SB 272 presents by requiring the vendor
name and product to be listed. Local agencies utilize
electronic systems to manage information related to health and
public safety services, utilities, and public works. There
has been increased awareness of cyber security issues in
recent years due to an increased number of system breaches and
hacking threats. As currently written,
SB 272 would comprise the security of our systems jeopardizing
the sensitive information within. We continue to require that
instead of listing the product name, allow for a title or
other identifier to be used. Regarding the vendor name, we
are asking for an amendment to make it clear that it would be
�
SB 272
Page 19
up to the information technology experts to make a
determination under the exemption currently provided in the
bill for cyber security. This would allow for the system to
be referenced in a way that is not overly specific as to
jeopardize security.
"The recent amendments to this bill have removed the previous
Information Technology Systems definition and replaced (it)
with language in previous versions which defines enterprise
system for purposes of the catalog. These new amendments
remove problematic language for local governments and provide
some of the exemptions that we have requested. However there
are two exemptions that we have requested that are not yet
reflected in the July 6th version: 911 and emergency
communications systems, and natural gas and electricity
systems.
"In summary, we are requesting the following amendments to the
July 6th version of
SB 272:
�
SB 272
Page 20
Specifically list vendor in (Government Code Section)
6254.19 to allow information technology experts to decide
as to whether it is a security risk.
Include 911 and emergency services as well as natural
gas and electricity to the list of exemptions."
11)Double-Referral. This bill was heard by the Judiciary
Committee on June 30, 2015, where it passed with a 10-vote.
REGISTERED SUPPORT / OPPOSITION:
Support
American Civil Liberties Union of California
American Federation of State, County and Municipal Employees,
AFL-CIO
Associated Builders and Contractors of California
Building Owners and Managers Association of California
California Asian Pacific Chamber of Commerce
California Broadcasters Association
�
SB 272
Page 21
California Business Properties Association
California Business Roundtable
California Forward Action Fund
California League of Food Processors
California Manufacturers & Technology Association
California Professional Firefighters
California Retailers Association
Commercial Real Estate Development Association
Family Business Association
Firearms Policy Coalition
International Council of Shopping Centers
Los Angeles County Business Federation
National Federation of Independent Businesses
�
SB 272
Page 22
San Diego Regional Data Library
San Francisco Technology Democrats
Sunlight Foundation
Urban Strategies Council
Concerns
City of Roseville
Opposition
California Association of Joint Powers Authorities (unless
amended)
California Municipal Utilities Association
California Police Chiefs Association (unless amended)
Opposition (continued)
�
SB 272
Page 23
California Special Districts Association (unless amended)
California State Association of Counties (unless amended)
California State Sheriffs' Association (unless amended)
Cites of Camarillo and Diamond Bar
County Recorders Association of California (unless amended)
Desert Water Agency
El Dorado Irrigation District
League of California Cities (unless amended)
Municipal Information Systems Association of California (unless
amended)
Rowland Water District
Rural County Representatives of California (unless amended)
Urban Counties Caucus (unless amended)
�
SB 272
Page 24
Analysis Prepared by:Angela Mapp / L. GOV. / (916)
319-3958