Member Article

Effective July 1, 2016, all local agencies (excluding local educational agencies) must create catalogs of their enterprise systems that store information, and post this information in a prominent location on their websites.

Which Enterprise Systems Are Covered by SB 272

Governor Brown approved SB 272 in October of this year, adding section 6270.5 to the California Public Records Act (the “Act,” Government Code Sections 6250-6276.48). Section 6270.5 defines an enterprise system as a software application or computer system that collects, stores, exchanges, and analyzes information that the agency uses that is (1) a multidepartmental system or system that contains information collected about the public and (2) a system of record. A system of record means a system that serves as an original source of data within an agency. Stated plainly, SB 272 requires local agencies to create a catalog of multidepartmental systems or systems containing information about the public that store original records and post the catalog on their agency website.

Which Systems Are Excluded

Enterprise systems do not include cybersecurity systems, infrastructure and mechanical control systems, or information that would reveal vulnerabilities to, or otherwise increase the potential for an attack on, a public agency's IT system.

Additionally, section 6270.5 does not automatically require disclosure of the specific records that the IT systems collect, store, exchange or analyze, however, the Act's other provisions pertaining to disclosure of such records still apply.

What Information Must Be Included in the Catalog

For each enterprise system included in the catalog list, agencies must disclose:

1. Current system vendor
2. Current system product
3. The purpose of the system
4. What kind of data is stored in it
5. The department that serves as the system's primary custodian
6. How frequently system data is collected
7. How frequently system data is updated

Significance of SB 272 & Future Outlook for Local Agency Privacy Laws

Privacy advocates celebrate this law as "allow[ing] for greater accountability and transparency regarding the types of information collected on members of the public." (Electronic Frontier Foundation "Success in Sacramento: Four New Laws, One Veto – All for Privacy and Transparency" October 14, 2015. Available at: https://www.eff.org/deeplinks/2015/10/success-sacramento-four-new-laws-one-veto-all-victories-privacy-and-transparency.)

In enacting SB 272, the legislature emphasized that the law is intended to help local agencies continue to gain operational efficiency and increase collaboration by allowing online access to public sector data. Local agencies, the legislature stated, have turned internally gathered and maintained data into usable information for the public to access and leverage for the benefit of their communities.

Looking forward, in light of the slew of privacy laws enacted this year, we anticipate that the legislature will soon pass additional privacy and cybersecurity laws that will further impact local agencies. Indeed, in enacting SB 272, the legislature foreshadowed the passage of future local agency data collection standards:

"In moving government to a more effective digital future, standards should be adopted to ensure that data collection and publication are standardized, including uniform definitions for machine-readable data. Online portals should also be developed to assist with public access to collected data."