BILL ANALYSIS                                                                                                                                                                                                    Ó



                                                                     SB 272


                                                                    Page  1





          Date of Hearing:  July 15, 2015


                       ASSEMBLY COMMITTEE ON LOCAL GOVERNMENT


                              Brian Maienschein, Chair


          SB  
          272 (Hertzberg) - As Amended July 6, 2015


          SENATE VOTE:  37-0


          SUBJECT:  The California Public Records Act: local agencies:  
          inventory.


          SUMMARY:  Requires local agencies, by July 1, 2016, to create a  
          catalog of their enterprise systems, make the catalog publicly  
          available, and post the catalog on their Internet Web sites.   
          Specifically, this bill:


          1)Requires each local agency, except a local educational agency,  
            in implementing the California Public Records Act (CPRA), to  
            create a catalog of enterprise systems.  



          2)Requires the catalog to be made publicly available upon  
            request in the office of the person or officer designated by  
            the agency's legislative body, and to be posted in a prominent  
            location on the local agency's Internet Web site (website), if  
            the agency has a website. 










                                                                     SB 272


                                                                    Page  2






          3)Requires the catalog to disclose a list of the enterprise  
            systems utilized by the agency and, for each system, to  
            disclose all of the following:



             a)   Current system vendor;



             b)   Current system product;



             c)   A brief statement of the system's purpose;



             d)   A general description of categories or types of data;



             e)   The department that serves as the system's primary  
               custodian;



             f)   How frequently system data is collected; and,



             g)   How frequently system data is updated.



          4)Provides that this bill shall not be interpreted to limit a  
            person's right to inspect public records, pursuant to the  
            CPRA.








                                                                     SB 272


                                                                    Page  3








          5)Provides the following definitions: 



             a)   "Enterprise system" means a software application or  
               computer system that collects, stores, exchanges, and  
               analyzes information that the agency uses that is both of  
               the following:



               i)     A multidepartmental system or a system that contains  
                 information collected about the public; and,
               ii)    A system of record.





             b)   "System of record" means a system that serves as an  
               original source of data within an agency.



          6)Provides that an enterprise system shall not include any of  
            the following:



             a)   Information technology security systems, including  
               firewalls and other cybersecurity systems;



             b)   Physical access control systems, employee identification  
               management systems, video monitoring, and other physical  








                                                                     SB 272


                                                                    Page  4





               control systems;



             c)   Infrastructure and mechanical control systems, including  
               those that control or manage street lights, or water or  
               sewer functions;



             d)   Systems that would be restricted from disclosure  
               pursuant to existing law, as specified, which exempts from  
               the CPRA the disclosure of information security records  
               that would reveal vulnerabilities of an information  
               technology system or increase the potential for cyber  
               attacks, as specified; and,



             e)   The specific records that the information technology  
               system collects, stores, exchanges, or analyzes.



          7)Provides that nothing in this bill shall be construed to  
            permit public access to records held by an agency to which  
            access is otherwise restricted by statute or to alter the  
            process for requesting public records, as set forth in the  
            CPRA.



          8)Requires the local agency to complete and post the catalog  
            required by this bill by July 1, 2016, and thereafter to  
            update the catalog annually.



          9)Makes a number of findings and declarations regarding new  








                                                                     SB 272


                                                                    Page  5





            information technology, its use in government, California's  
            role in "moving our nation forward in the world of  
            technology," and the need to adopt standards to "ensure that  
            data collection and publication are standardized, including  
            uniform definitions for machine-readable data."



          10)Finds and declares that Section 2 of the bill furthers,  
            within the meaning of paragraph (7) of subdivision (b) of  
            Section 3 of Article I of the California Constitution, the  
            purposes of that constitutional section as it relates to the  
            right of public access to the meetings of local public bodies  
            or the writings of local public officials and local agencies  
            and declares, pursuant to paragraph (7) of subdivision (b) of  
            Section 3 of Article I of the California Constitution, that  
            the Legislature makes the following findings:



            Because increased information about what data is collected by  
            local agencies could be leveraged by the public to more  
            efficiently access and better use that information, the act  
            furthers the purpose of Section 3 of Article I of the  
            California Constitution.





          11)Provides that no reimbursement is required by this bill  
            because the only costs that may be incurred by a local agency  
            or school district under this act would result from a  
            legislative mandate that is within the scope of paragraph (7)  
            of subdivision (b) of Section 3 of Article I of the California  
            Constitution.











                                                                     SB 272


                                                                    Page  6





          EXISTING LAW:   


          1)Requires public agencies, pursuant to the CPRA, to make their  
            records available for public inspection and, upon request, to  
            provide a copy of a public record, unless the record is exempt  
            from disclosure. 

          2)Requires a public agency to make non-exempt electronic public  
            records available in any electronic format in which it holds  
            the information or, if requested, in an electronic format used  
            by the agency to create copies for its own or another agency's  
            use.   

          3)Authorizes a public agency to charge to the requester the  
            direct cost of producing the electronic public record.

          4)Requires the requester of the electronic record to bear the  
            cost of producing a copy of the record, including the cost to  
            construct a record, and the cost of programming and computer  
            services necessary to produce a copy of the record if the  
            public agency produces the electronic record only at regularly  
            scheduled intervals or the request requires data compilation,  
            extraction, or programming to produce the record. 

          5)Provides that a public agency is not required to release an  
            electronic record in the electronic form in which it is held  
            by the agency, if its release would jeopardize or compromise  
            the security or integrity of the original record or of any  
            proprietary software in which it is maintained.

          6)Provides that nothing in the CPRA shall be construed to  
            require the disclosure of an information security record of a  
            public agency, if, on the facts of the particular case,  
            disclosure of that record would reveal vulnerabilities to, or  
            otherwise increase the potential for an attack on, an  
            information technology system of a public agency.

          FISCAL EFFECT:  According to the Senate Appropriations  








                                                                     SB 272


                                                                    Page  7





          Committee:


          1)Unknown, likely significant costs to local agencies to compile  
            information on enterprise systems that contain data collected  
            about the public, post the catalog on agency websites, and  
            make it available to the public (Local funds).  These costs  
            are not anticipated to be reimbursable from the state General  
            Fund.  See staff comments.


          2)Potential costs in the low tens of thousands to the Commission  
            on State Mandates (COSM).  To the extent an affected local  
            agency files a test claim for reimbursement of mandated costs,  
            Commission legal staff would prepare a full analysis of the  
            legal and factual issues raised for purposes of a  
            determination by the COSM.


          COMMENTS:  


          1)Bill Summary.  This bill requires each local agency, in  
            implementing the CPRA, to create a catalog of its enterprise  
            systems, make that catalog publicly available in the office of  
            the person or officer designated by the agency's legislative  
            body, and post that catalog in a prominent location in the  
            local agency's website, if it has one.  The bill defines  
            "enterprise system" to mean a software application or computer  
            system that collects, stores, exchanges, and analyzes  
            information that the agency uses that is both of the  
            following: a multidepartmental system or a system that  
            contains information collected about the public; and, a system  
            of record.  "System of record" means a system that serves as  
            an original source of data within an agency.



            For each enterprise system, the local agency must disclose all  








                                                                     SB 272


                                                                    Page  8





            of the following:





             a)   Current system vendor;



             b)   Current system product;



             c)   A brief statement of the system's purpose;



             d)   A general description of categories or types of data;



             e)   The department that serves as the system's primary  
               custodian;



             f)   How frequently system data is collected; and,



             g)   How frequently system data is updated.



            The bill exempts the following from its requirements:











                                                                     SB 272


                                                                    Page  9







             a)   Information technology security systems, including  
               firewalls and other cybersecurity systems;



             b)   Physical access control systems, employee identification  
               management systems, video monitoring, and other physical  
               control systems;



             c)   Infrastructure and mechanical control systems, including  
               those that control or manage street lights, or water or  
               sewer functions;



             d)   Systems that would be restricted from disclosure  
               pursuant to existing law, as specified, which exempts from  
               the CPRA the disclosure of information security records  
               that would reveal vulnerabilities of an information  
               technology system or increase the potential for cyber  
               attacks, as specified; and,



             e)   The specific records that the information technology  
               system collects, stores, exchanges, or analyzes.



            Each local agency must complete and post the catalog by July  
            1, 2016, and update the catalog annually thereafter.  This  
            bill is sponsored by the author.











                                                                     SB 272


                                                                    Page  10







          2)Author's Statement.  According to the author, "Local  
            government agencies throughout California possess a  
            potentially powerful tool for improving the lives of  
            Californians:  data. In too many cases, however, local  
            agencies - and the constituents they serve - do not know what  
            data they have collected or how to access it.  SB 272 will  
            identify what information is being kept by local agencies, how  
            it is maintained, and who is responsible.  Publishing a  
            catalog of this information will reveal how accessible and  
            usable the information is for public review and analysis, and  
            immediately empower Californians to utilize this information. 



            "There are thousands of local public agencies that collect  
            information on critical government programs and services.  The  
            data include building permits and public parks to potholes and  
            public transportation.  Harnessing the power of this locally  
            generated data could help spur economic growth, tackle major  
            infrastructure issues and set millions of Californians on a  
            path toward upward mobility.  Properly gathered and clearly  
            understood data would also help empower state and local  
            agencies to collaborate more effectively and improve service  
            delivery."





          3)Background.  The CPRA, enacted in 1968, requires public  
            disclosure of public agency documents.  The CPRA gives every  
            person the right to inspect and obtain copies of all state and  
            local government documents not exempt from disclosure.   
            Recognizing that public agencies were increasingly relying on  
            electronic documents, the Legislature approved 
          AB 2799 (Shelley), Chapter 982, Statutes of 2000.  Among other  
            things, AB 2799 required public agencies, upon request, to  








                                                                     SB 272


                                                                    Page  11





            disclose electronic records in an electronic format in which  
            the agency held information, or in a format that had been used  
            by the agency to create copies for its own use or for use by  
            other public agencies.



            Since that time, the Open Data movement has been rapidly  
            growing in popularity and recognition, both nationally and in  
            California.  Computer technology has advanced to provide open  
            format software, which allows electronic documents created and  
            maintained by public agencies to be searched, indexed, and  
            redacted electronically.  





            In 2009, in order to increase government agency  
            accountability, promote informed public participation, and  
            create economic opportunity through expanding access to  
            information online in open formats, the United States Director  
            of the Office of Management and Budget issued an Open  
            Government Directive to federal government agencies.  This  
            Directive provided guidelines to public agencies responding to  
            public requests under the Freedom of Information Act and  
            instructed federal government agencies to "publish information  
            online in an open format that can be retrieved, downloaded,  
            indexed, and searched by commonly used web search  
            applications."





            In 2013, President Obama signed Executive Order No. 13642,  
            which established the Open Data Policy and required all newly  
            generated government data to be made available in open,  
            machine-readable formats in order to "promote continued job  








                                                                     SB 272


                                                                    Page  12





            growth, Government efficiency, and the social good that can be  
            gained from opening Government data to the public."





          4)California Open Data Portals.  The California Health and Human  
            Services Agency (CHHS) launched an Open Data Portal (portal)  
            initiative in order to increase public access to one of the  
            state's most valuable assets - non-confidential health and  
            human services data.  According to the CHHS portal, "Its goals  
            are to spark innovation, promote research and economic  
            opportunities, engage public participation in government,  
            increase transparency, and inform decision-making.  'Open  
            Data' describes data that are freely available,  
            machine-readable, and formatted according to national  
            technical standards to facilitate visibility and reuse of  
            published data.
            "The portal offers access to standardized data that can be  
            easily retrieved, combined, downloaded, sorted, searched,  
            analyzed, redistributed and re-used by individuals, business,  
            researchers, journalists, developers, and government to  
            process, trend, and innovate.  (It) puts tools for  
            transparency, accountability, and innovation directly into the  
            hands of Californians and others through a centralized,  
            user-friendly interface.  (The portal) provides users with a  
            single point of entry to access CHHS departments' publishable  
            data.  This increased visibility provides derivative value as  
            the public is able to analyze and utilize publicly available  
            (publishable) government data to better understand what is  
            happening in government on all levels - federal, state, and  
            local."





            The CHHS also developed an Open Data Handbook (handbook),  








                                                                     SB 272


                                                                    Page  13





            which provides guidelines to identify, review, prioritize and  
            prepare publishable CHHS data for access by the public via the  
            CHHS portal.  The handbook is intended to serve both as an  
            internal and external resource to any party that may be  
            interested in improving the general public's online access to  
            data, and to provide an understanding of the processes by  
            which CHHS makes its publishable data tables available.  The  
            handbook "focuses on general guidelines and thoughtful  
            processes but also provides linked tools/resources that  
            operationalize those processes."





            The State Controller also has an open data website, which  
            contains financial and statistical information for cities and  
            counties around the state, allowing visitors to track  
            spending, revenues, assets, and liabilities.  The Controller's  
            website contains more than 13 million fields of data for  
            counties and cities over an eleven-year period, from  
            2002-2013.





          5)Open Data and Cities.  The National League of Cities in 2014  
            issued a report entitled, "City Open Data Policies: Learning  
            by Doing."  According to the report, "The White House launched  
            its Open Government Initiative in 2013, including its Data.gov  
            website, thus beginning the process of making government data  
            more readily available.  In the wake of this federal  
            initiative, in partnership with communities, private  
            companies, advocates, and the technology sector, cities have  
            begun to innovatively pursue open data.  











                                                                     SB 272


                                                                    Page  14





            "As the primary providers of government services, cities  
            collect and hold massive amounts 


            of data about crimes, waste management, transportation,  
            education, housing, consumption, and more.  Until recently,  
            much of the inherent potential in this data has been untapped.  
             
            By making city data freely accessible, governments have not  
            only improved their transparency, but have begun to use open  
            data as a means to improve services and gather more  
            information about communities?(However), open data is still a  
            new concept to governments and practice models for  
            implementation and design are lacking."



            Several local jurisdictions in California have launched their  
            own Open Data websites or portals.  For example, the City of  
            Los Angeles has a searchable website with information on the  
            economy, public safety, environment, city services, city  
            budget, events and culture, parks and libraries, and  
            transportation.  About three months after the launch of Los  
            Angeles' open data site, the city appointed its first Chief of  
            Data officer.





            As another example, AmLegal Decoder was deployed in San  
            Francisco after the Mayor's Office of Civic Innovation, The  
            OpenGov Foundation and American Legal Publishing Corp. teamed  
            up to transform and publish the city's laws and legal and  
            technical codes at SanFranciscoCode.org.  AmLegal Decoder is  
            open-source software that automatically updates  
            SanFranciscoCode.org and delivers every newly codified city  
            law accessible online for city employees, everyday citizens  
            and anyone else who might need them.








                                                                     SB 272


                                                                    Page  15










            In addition, the City of Long Beach has its own open data  
            site, OpenUpLongBeach.com.  Long Beach and Fresno have hosted  
            open data events as well.  The Open Knowledge Foundation also  
            lists Sacramento, San Jose, Oakland, West Hollywood, Pasadena,  
            Culver City, Santa Clarita, Bell, Manhattan Beach, San Diego,  
            Burbank, Compton, and other California cities in its U.S.  
            Cities Open Data Census.





          6)Proposition 42.  Proposition 42 was passed by voters on June  
            3, 2014, and requires all local governments to comply with the  
            CPRA and the Ralph M. Brown Act (Brown Act) and with any  
            subsequent changes to those Acts.  Proposition 42 also  
            eliminated reimbursements to local agencies for costs of  
            complying with the CPRA and the Brown Act.



            This bill contains language that says that the Legislature  
            finds and declares that Section 2 of the bill furthers the  
            purpose of the California Constitution as it relates to the  
            right of public access to the meetings of local public bodies  
            or the writings of local public officials and local agencies.   
            Pursuant to paragraph (7) of subdivision (b) of Section 3 of  
            Article I of the Constitution, the bill also includes a  
            finding that says that " Because increased information about  
            what data is collected by local agencies could be leveraged by  
            the public to more efficiently access and better use that  
            information, the act furthers the purpose of Section 3 of  
            Article I of the California Constitution." 









                                                                     SB 272


                                                                    Page  16









            Section 4 of the bill specifies that no reimbursement for  
            local agencies to implement the bill's provisions is necessary  
            because "the only costs that may be incurred by a local agency  
            or school district?would result from a legislative mandate  
            that is within the scope of paragraph (7) of subdivision (b)  
            of Section 3 of Article I of the California Constitution."





          7)Related Legislation.  AB 169 (Maienschein) establishes open  
            format requirements for posting a public record if a local  
            agency maintains an "open data" Internet Resource, as  
            specified, and voluntarily posts the public record.  AB 169 is  
            pending in the Senate Appropriations Committee.



            AB 1215 (Ting) creates the California Open Data Act and the  
                                                                 position of Chief Data Officer, who is required to establish  
            the California Open Data Standard (standard), as specified;  
            requires state agencies to make public data, as defined,  
            available on an Internet Web portal pursuant to that standard;  
            and, allows a local government to adopt that standard.  AB  
            1215 was held in the Assembly Appropriations Committee.





            SB 573 (Pan) requires the Governor to appoint a Chief Data  
            Officer, who is required to create a statewide open data  
            portal, as defined, to provide public access to public data  
            held by state agencies.  SB 573 is pending in the Assembly  








                                                                     SB 272


                                                                    Page  17





            Appropriations Committee.





          8)Previous Legislation.  SB 1002 (Yee) of 2012 would have  
            required the State Chief Information Officer to conduct a  
            study to determine the feasibility of providing electronic  
            records in an open format.  SB 1002 was vetoed with the  
            following message:



               The role of the State Chief Information Officer is to make  
               sure that state government uses information technology  
               efficiently and effectively - including providing public  
               records electronically when possible.  Another legislative  
               report on electronic public records isn't necessary.





            AB 2799 (Shelley), Chapter 982, Statutes of 2000, required  
            public agencies, upon request, to disclose electronic records  
            in an electronic format in which the agency held information  
            or in a format that had been used by the agency to create  
            copies for its own use or for other public agencies.  





          9)Arguments in Support.  The Sunlight Foundation, in support,  
            writes, "(A)chieving better public knowledge of the data that  
            governments hold is at the very core of achieving open  
            government in the 21st century.  The Sunlight Foundation  
            routinely emphasizes that open data means more than just  








                                                                     SB 272


                                                                    Page  18





            accessing data the government has already chosen to publish -
          it also means knowing what information the government is aware  
            it holds, what data the government isn't releasing, and how  
            the government is prioritizing publication of its data assets.  
             Through SB 272, California will increase public awareness of  
            what datasets are held by local governments and take a  
            critical step toward unlocking the power of local data across  
            the state."



          10)Arguments in Opposition.  A coalition, including the  
            California Association of Joint Powers Authorities, the  
            California Police Chiefs Association, the California Special  
            Districts Association, the California State Association of  
            Counties, the California State Sheriffs' Association, the  
            County Recorders Association of California, the League of  
            California Cities, the Municipal Information Systems  
            Association of California,, the Rural County Representatives  
            of California, and the Urban Counties Caucus, who have an  
            oppose, unless amended, position, writes: 



            "Our associations raised concerns about the serious cyber  
            security risks that SB 272 presents by requiring the vendor  
            name and product to be listed.  Local agencies utilize  
            electronic systems to manage information related to health and  
            public safety services, utilities, and public works.  There  
            has been increased awareness of cyber security issues in  
            recent years due to an increased number of system breaches and  
            hacking threats.  As currently written, 


            SB 272 would comprise the security of our systems jeopardizing  
            the sensitive information within.  We continue to require that  
            instead of listing the product name, allow for a title or  
            other identifier to be used.  Regarding the vendor name, we  
            are asking for an amendment to make it clear that it would be  








                                                                     SB 272


                                                                    Page  19





            up to the information technology experts to make a  
            determination under the exemption currently provided in the  
            bill for cyber security.  This would allow for the system to  
            be referenced in a way that is not overly specific as to  
            jeopardize security.



            "The recent amendments to this bill have removed the previous  
            Information Technology Systems definition and replaced (it)  
            with language in previous versions which defines enterprise  
            system for purposes of the catalog.  These new amendments  
            remove problematic language for local governments and provide  
            some of the exemptions that we have requested.  However there  
            are two exemptions that we have requested that are not yet  
            reflected in the July 6th version:  911 and emergency  
            communications systems, and natural gas and electricity  
            systems.











            "In summary, we are requesting the following amendments to the  
            July 6th version of


            SB 272:













                                                                     SB 272


                                                                    Page  20





                 Specifically list vendor in (Government Code Section)  
               6254.19 to allow information technology experts to decide  
               as to whether it is a security risk.



                 Include 911 and emergency services as well as natural  
               gas and electricity to the list of exemptions."

          11)Double-Referral.  This bill was heard by the Judiciary  
            Committee on June 30, 2015, where it passed with a 10-vote.



          REGISTERED SUPPORT / OPPOSITION:




          Support


          American Civil Liberties Union of California


          American Federation of State, County and Municipal Employees,  
          AFL-CIO


          Associated Builders and Contractors of California 


          Building Owners and Managers Association of California


          California Asian Pacific Chamber of Commerce 


          California Broadcasters Association 








                                                                     SB 272


                                                                    Page  21







          California Business Properties Association 


          California Business Roundtable 


          California Forward Action Fund 


          California League of Food Processors 


          California Manufacturers & Technology Association 


          California Professional Firefighters


          California Retailers Association 


          Commercial Real Estate Development Association 


          Family Business Association 


          Firearms Policy Coalition  


          International Council of Shopping Centers 


          Los Angeles County Business Federation 


          National Federation of Independent Businesses 








                                                                     SB 272


                                                                    Page  22







          San Diego Regional Data Library 


          San Francisco Technology Democrats 


          Sunlight Foundation 


          Urban Strategies Council




          Concerns


          City of Roseville




          Opposition


          California Association of Joint Powers Authorities (unless  
          amended)


          California Municipal Utilities Association


          California Police Chiefs Association (unless amended)


          Opposition (continued)









                                                                     SB 272


                                                                    Page  23






          


          California Special Districts Association (unless amended)


          California State Association of Counties (unless amended)


          California State Sheriffs' Association (unless amended)
          Cites of Camarillo and Diamond Bar


          County Recorders Association of California (unless amended)


          Desert Water Agency


          El Dorado Irrigation District


          League of California Cities (unless amended)


          Municipal Information Systems Association of California (unless  
          amended)


          Rowland Water District


          Rural County Representatives of California (unless amended)


          Urban Counties Caucus (unless amended)










                                                                     SB 272


                                                                    Page  24










          Analysis Prepared by:Angela Mapp / L. GOV. / (916)  
          319-3958