FAQs on SB 272 Compliance

From the CSDA Webinar on May 25, 2016 and the Streamline webinar June 29, 2016 – by Sloane Dell'Orto

Introduction

Below are the questions from our webinars and my answers (some of which were verbally expressed, but I’m expanding the answers here in hopes that it’s helpful). We’ve pulled names, and also all of the kudos (but we appreciate them so very much!)

Important note: we are all doing our best to understand this law and to help agencies comply. In the end, any interpretations we make are just our opinions, and anything not expressly stated in the law won't be clear until a court decides at some point in the future. (We hope it won't come to that, of course, hence all the advice!)

For example:

Dillon (at CSDA) and I sometimes disagree about whether or not a specific system should be listed. It often comes back to this discrepancy in the law language:

…”Enterprise system” means a software application or computer system that collects, stores, exchanges, and analyzes information...

That first “and” is a big deal - many systems could be excluded if you think they technically don’t do all four of those things. However, later in the language there is that pesky “or” that has me worried:

...The specific records that the information technology system collects, stores, exchanges, or analyzes...

Also - what does “analyze” mean? What if you do a word count in a Word document? What if you do sums in an Excel spreadsheet? (Sigh.)

What we always agree upon, however, is this: until we have more clarity, err on the side of keeping your agency safe - which might mean including, or might mean excluding a particular system. (The debates are kinda fun, though.)

Lastly, a disclaimer: all of us are giving this our best guess - even the attorneys. So take all of my answers as well educated guesses. 


to determine if it’s an enterprise system:

  1. Is it a system of record? (Is it the original source of the data?) If no, you're done - it's exempt.
  2. If yes, does it meet either of these conditions?
    • (a) is it multi-departmental? (do people from multiple departments access this system? If you don’t have official departments it should be considered multidepartmental since the employee(s) wear multiple hats.)
      or,
      (b) does it contain information about the public? (to get some context for this and what it might mean, you might check out http://www.thefirstamendment.org/publicrecordsact.pdf - looking to the guidelines of the PRA is the only thing we have to help determine what “about the public” means.)

Now, on to the questions:

Q: What is the deadline for this?
The deadline for compliance is July 1, 2016.

Q: Is this catalog tool free to use, or is it just a free trial?
The tool is completely free, for life. (You need to update your catalog annually, by the way). 

Q: Speaking of updating annually, what does that mean?
(Actually no one asked this, but I wanted to get it in here!) The law does not define “annually” so we’re not sure if you should do it every July 1 (since that’s the first deadline), or 12 months after your first publication of the catalog, or every fiscal year, or … well, you get the picture. If you’re using our tool, it’s easy to add new systems as you bring them online, and you can publish new catalogs whenever you’d like (and it saves your old revisions, too), so you might publish more than annually if you decide to. Because of course you will have fun with this! :)

Q: Are we allowed to share the link to the tool with other districts who are not CSDA or Streamline members?
Please do! We hope to help as many local agencies as possible to comply with this law. The effort becomes more worth it when a lot of people are helped.

Q: Is there a way for us to download this slideshow?
You can download the slideshow (and get links to all other resources) here.

Q: Will I be able to integrate this into our current website or will it be linked to a new window?
Currently you can link to it, but if we get enough requests for embedding HTML we may add that feature. :)

Q: Is there an embedding tool?  I would like to integrate this catalog instead of having visitors click a link to a new window.
There isn’t … yet! This is our second request, so my guess is that we’ll provide that functionality in the near future. (We had a total of seven or eight by the end of the webinar.)

Q: Can we print it out, and just post it on our website as a pdf?
You can absolutely do that. :)

Q: We are a small special district that just started - do we first need to establish a website before we can use this tool or is it stand alone?
You do not have to have a website to use our free tool - you can use it as a stand alone system, and just save the URL and print the catalog to have on file.

Q: What about Google Drive?
If you are only using Google Drive for storage, but not creating the actual documents using the Google suite tools, then maybe not. However, if you are using the full Google Apps suite (drive, sheets, docs, email, etc), it should probably be included, as many of the documents you create using that suite of tools likely fit the requirements. (For example, if you use the spreadsheet tool to track data, or the document tool to create original documents related to the public.) Look at this suite of tools similarly to the Microsoft Office suite of tools, go through the steps and see what you come up with.

Q: Being a special fire district, I shouldn't have to choose 'yes' for multideparmental, correct?
We specifically asked the attorneys about this, since so many of our customers are smaller districts with no official “departments.” (My fire district doesn’t have “departments” either.) Their opinion led to the help text we included in our tool, which says: “If your agency has multiple departments, choose Yes if this system is used in more than one department. If your agency has no separate departments, choose Yes, since all systems should be considered multi-departmental in this case.”

Q: We are a fire district that utilizes Firehouse software for our incidents. I believe that falls under operations of emergency services and does not need to be listed, correct?
There is a specific exclusion for 911 and emergency services operations, and this definitely sounds like that applies to this system.

Q: I would argue strongly that Microsoft Office is not an enterprise system that collects or stores anything. Maybe your file shares or cloud storage, but not simple productivity tools.
We go back and forth with this as well. We are suggesting that everyone err on the side of including too much (as long as you feel safe doing so) rather than getting into too many discussions around the technicalities. (Dillon, at CSDA, and I were just talking about Word yesterday. Does “word count” mean you’re “analyzing” your data? Ooof.)

Q: I would argue that all back-office systems that all organizations have (accounting, HR,, etc.) are excluded because they don't deal with the kind of data the authors were after, and in most cases would be automatically excluded on security/PII grounds.
I would be careful to distinguish between a system that tracks data and the data in it. Even if you would not share the actual data via a Public Records Act request, due to privacy concerns, it’s very likely that the system itself needs to be listed in your catalog. (One of the frustrating things about putting this into the Public Records Act, but having different rules for compliance for the original PRA and SB 272 addition.)

Q: I was told by Legal Counsel we do not have to comply, we are a special district with a website. He claims because we are small we do not have to comply.
There is absolutely no exemption in the law language for size of district, operating revenue, etc. The only exemption is for “local educational agencies” - basically school districts.

Q: Do you have to include web based applications ie - ParcelQuest in your catalog?
We do not believe that web-based, or “cloud” systems, are exempt in any way. You just need to vet them against the steps to see if the particular system qualifies as an enterprise system, per the law (needs to be a “system of record” and either multidepartmental or a system that contains information collected about the public). If you use our tool, the steps will help you decide.

Q: We are under decree order to camera every sewer line, Granite XP is the software being used.  Is this exempt as there is no customer data?
Our best guess is that it is not exempt, because it likely includes “information about the public” (public property, sewer lines being paid for by public tax dollars, etc.).

Q: Could we list Microsoft Office Suite once for agendas/minutes, applicant contact data, project data, email, etc and be done with it? Or do they need to be listed separately?
I would suggest you list the entire Suite at once, and save yourself the trouble of listing each separately. Just make sure you include a good description of the types of data / uses later in the steps so you cover most, if not all, of the uses.

Q: What about audio files from Board meetings? How do we list audio? It isn't a software, just a mp3 file.
Hmmmm. Well, the idea here is to list the actual computer systems, so if you simply record with an iPhone, for example, then include the MP3 on your website, I would think this would not need to be included. 

Q: Assuming we all use Microsoft Office, perhaps there is some common description that we can use?
That’s a great suggestion! We’ve had a few people say they would really appreciate an autocomplete field for Vendor / Product, where you could start to type and a list of matches that other people had entered would drop down. Dennis, who developed this tool, suggested it at the beginning (it was one of those stickies you saw on the post-it slide.) 

I wonder if a support group for those affected by SB 272 would be helpful. ;-) Seriously though, it would be great to have a Listserv or forum where people can share best practices and give one another tips … or just commiserate with on another. If we hear of interest we would be happy to set something like that up. We already have forum software that could support it.

Q: How does knowing what software we use help the public? Can the public demand access to files?
To be honest, I’m not sure how this helps the public. But to answer the second question, just because they know of a system you use does not give them the right to the data in it; that would be determined by the rules of the original Public Records Act. (Here are a couple of great resources on the PRA: http://www.thefirstamendment.org/publicrecordsact.pdf and https://www.cacities.org/Resources/Open-Government/THE-PEOPLE%E2%80%99S-BUSINESS-A-Guide-to-the-California-Pu.aspx - the second one is prettier.)

Q: What about a web based payroll system?
My guess is that it should be included. The fact that it’s web based doesn’t exempt it, and while you may not turn over payroll information via a PRA request, there is likely no danger to list the system in your catalog. (However, if you do think you should not list the specific system, you can use the “system description alternative identifier” step instead of listing the vendor and software.)

Q: If our billing is done by a private company do we have to list the software they use?
Our understanding is that you do *not* have to list anyone else’s systems, only the ones you use. So if the county manages your billing, they would have to list it but you would not. If an independent contractor (company or individual) manages your billing, you do not have to list the systems they use to do so.

Q: Does CAD software such as Microstation or AutoCAD need to be included in the catalog?
I think so - but it depends on how you use it. If you create original maps, for example, of public property or public resources, I think you do need to list it. The trick here is this: is it a system of record (the original source of that data)?  

Q: I make videos for my fire district. Is the editing software considered exempt?
Dillon says yes. I’m not sure. (It’s that pesky “and / or” issue again!) I would suggest that you list it if you feel safe doing so, and exclude it if you don’t. If you track it in our tool, with the exemption, you should be in a good position to defend your choice if it ever comes up.

Q: Some CAD programs are to map fire districts to an incident, exempting them as emergency services.
Agreed - the 911 / emergency services exemption would apply in that case.

Q: What about Emergency Reporting for our Fire Department?
This would probably get the 911 / emergency services exclusion as well. Put it in the tool and just check that box when you get to it!

Q: Any idea about web based applications, like Asana (project management tool)?
Web-based doesn’t offer an exclusion on its own, but I’m familiar with Asana and  it’s hard to say if you need to list it - that probably depends on the information you track and if it meets the requirements (system of record? multi-departmental or has info about the public?)

Q: Do we need to list our GIS program if we get the GIS files from the County? We do not maintain or update the layers but use them to create maps.
This is a tough one just because the maps you create *may* be an original source of data, when they are complete. Without knowing more detail about how your final maps are used / updated / etc, I have to say I think it could go either way.

Q: Our payroll is processed by another public agency - how do we note that?  It should be part of the County's disclosure, but do we need to note that somehow?
They need to list it, but you don’t. Yay!

Q: Why does Streamline offer this for free?
This is hard to answer in a politically-correct way. :)) Um… what I can say is that I have a background in local government in a small county, and in special districts in a very small town (700 people!). With that kind of background you can imagine that unfunded state mandates frustrate me, a lot. Tucking them into the PRA like this, so you don’t have to fund them, makes me angry. We just felt like we had to help and it wasn’t right to profit from that.

Q: How can I join a mailing list that sends information about things like this?
We are going to add everyone to our mailing lists, so you’ll continue to get info about this and other legislation. It’s super easy to unsubscribe if we’re boring you at any point. (Ahem, speaking of legislation, take a look at AB 2257 this year: https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201520160AB2257
CSDA has done a great job of getting some workable amendments in there … and as a plug for our “real” business, our Streamline Web™ clients will be in compliance automatically!) 

Q: Do we need to list the archiving software we use to archive our old files?
I need to send you a prize for the best question! :))
This is a tough one, but I would look to the basics: is it the source of original data (maybe so, if the old files *only* exist there, at some point)? … is it multidepartmental or does it contain information about the public? (probably so). You might want to err on the side of safety and include it.

Q: Emergency Reporting system (fire department) has HIPPA protected information so it must be exempt.
Luckily the 911 / emergency services exemption covers this one!

Q: Our payroll system does not have information regarding public....thinking this system would be exempt as well.
Yeah it’s hard to know what they mean by “information about the public.” Since so much of the hoopla is around how public tax dollars are spent, you might want to include it to be safe.

Q: We use neogov.com to manage employment opportunities internally and externally. Should we include this in the catalog?
I would include it, unless you feel it’s not safe to do so. 

Q: Does website software (Go Daddy) have to be listed?
We talked about this a lot internally, since our paid product is a website builder. Is it a system of record? Probably not, as I would guess that most (if not all) of the content you add to your site exists elsewhere before it goes up.

Q: What is the name of the attorney you spoke to?  Because the answer you have been given on multidepartmental makes no sense and is not reflected in the committee hearing reports on the bill.
It kind of makes sense to me, in the case that if you have five employees doing various things, but no official departments … and yet all employees have access to the system in question, it’s not that different than a larger organization allowing multiple official departments to access the system. As with most of our advice, we feel it’s better to be safe than sorry, but each agency without defined departments will need to determine for itself. 

Q: We were told that an excel spreadsheet we use for timekeeping should be listed. Your thoughts? 
Yes, we agree that should be listed. Considering agencies have to disclose pay, it’s hard to imagine that time tracking (even if the actual data isn’t shared) would be exempt from SB 272.

Q: Are voicemail/phone systems supposed to be listed? We are a very small (20 employees).
The number of employees or size of your agency doesn’t affect compliance–even the smallest organizations have to create a catalog, even if they don’t have computer systems. (Then you just need something saying you have no enterprise systems.) As for the phone or voicemail system, I suppose the voicemail itself would be a system of record.

Q: Can you reiterate or email me the cost of your system.
Our compliance tool is free.    

Q: If Adobe is used by one or more departments to create marketing pieces, does it have to be listed?
I’m not sure the authors care about marketing pieces, but if it meets all the requirements (system of record, about the public or multi-departmental) then you could go ahead and list it. I doubt anyone will get in trouble for skipping graphic design type systems.     Adobe Acrobat would not need to be listed since it’s never a system of record.

Q: What about license plate reader systems that can be used to track commuter patterns and are frequently linked to cell phones to track movement?
If they store the data then this might be a yes. The tool will walk you through the specific steps to determine for sure.

Q: You have Microsoft Office included in your example catalog but Word, Excel, etc. only utilizes information collected elsewhere. Since the code confusingly says AND and OR, should we include it in our catalog to cover ourselves?
We suggest including anything that the “or” would cover, since that is in the language later in the law. It doesn’t hurt and you are likely going to include Outlook anyway - may as well include the whole suite and CYA. :)

Q: So, if I am hearing correctly, when we finish using the tool, the information to connect to our website will be at the top?  I am concerned that when I use the tool, I won't be able to post it to our webpage.
Correct! There are details at the top of the tool once you’ve published your catalog, and we also have knowledgebase articles to help: http://sb272.getstreamline.com/

Q: Could we list "Microsoft Office suite" instead of itemizing the microsoft programs (example: word, excel, outlook)? Do we have to list Outlook Excel, Powerpoint, Publisher, etc?
We suggest that you simply list the whole MS Office Suite as one listing, then include all the purposes, etc later in the steps. That way it’s just one system you need to list, but you’ve covered all your bases.

Q: Transit has surveillance on buses. That would have to be listed, correct?
I believe that the security exemption will apply here.    In our tool you can inventory the system, then choose the proper exemption (for surveillance systems) and the tool will save your work but not include that system in the published public catalog.
            
Q: Is cloud storage exempt?
Cloud storage isn’t exempt just by the nature of it being in the cloud … so you need to look at the criteria: does it contain information about the public? (probably) … is it the system of record? (maybe?) … etc.

Q: What about automated license plate reader systems?
Good question! As we talked about earlier, if they collect and store data, probably. Where it gets a bit sticky is the “analyze” part–does the system analyze the data it collects? Is there aggregated data? (And again, early in the law it says “software application or computer system that collects, stores, exchanges, and analyzes information” while later it says “... or …”) If you go with “or” then just about every software system should be looked at.

Q: If an employee uses an iPad to take pictures, thus creating new data, do I have to list iOS?
Such a great question. If the pictures are stored on the iPad then I would say you may want to list it. However, if they are then moved to another device or storage location, you probably don’t need to. It’s kind of anyone’s best guess at this point. :)

Q: What about security cameras?
The security exemption would apply, so no, you don’t need to list them.

Q: Will this tool alert us if a certain program need not be added?
Yes it will - it will tell you the system is exempt, and allow you to save it in your inventory for future reference, but it won’t include the exempt systems in your published, public catalog.

Q: We are a water district and use a PDA to gather meter information once a month which we then hook up to the program water solutions. Would I have to list both or could they both fall under the Water Solutions program?
I think you’d be safe listing just the Water Solutions program since the PDA is only gathering the data.

Q: What if we have not added a system that should have been included.  Do you enter it as soon as you realize it’s not on your list?
Yep! Especially if you’re using our free tool, you can add systems and publish a new version of your catalog at any time. The URL won’t change, but will just point to the most recent version.        

Q: Our JPA Agency also provides administrative services for its participating districts (agendas, minutes, budgets, accounting, etc.) The districts themselves own no computers or software. Do we report for them the same systems used by the Agency?
If the districts don’t own or use the systems, they are not required to list them … although the JPA would be. 

Q: If there are LOTS of us who want to use you free tool in the next day or so to achieve compliance, will we crash your system?
We sure hope not! ;-)    (Note: the system didn’t crash…)      
        
Q: If you have a system that isn't used by multiple departments but is available to them, should these be listed as multidepartmental?
I’d say yes, just to be safe.    

Q: Can you please reiterate what is required of very small agencies, especially regarding the lack of departments and the lack of a website and/or computer?
Yep! The requirements are the same for agencies of any size. For agencies without a website, you still need to publish the catalog and keep it on hand / available, preferably wherever someone would come to make a public records act request. So you can use our tool to print paper copies for that purpose. For agencies that do have a website, you also need to post a link to your catalog on your site. If you don’t have any computer systems, you can either use our tool or handwrite a letter saying you have no enterprise systems per the requirements of SB 272. (Note that if you use a computer to type your agendas then you do in fact have computer systems…)

Q: If a catalog has already been published, and now the agency has become aware of new disclosures or the need to change info, are they able to edit this system and re-publish?
Absolutely. Every system that you inventory is completely editable and you can publish a new version of your catalog at any time. The URL of your catalog will always point to the newest one.

Q: Are the slides available for download?
Yep, we’ll follow up with an email giving you a link to the slides, Q&A, etc.
                
Q: Just to clarify; using apps like Dropbox have to be added to this list correct?
Cloud storage isn’t exempt just by the nature of it being in the cloud … so you need to look at the criteria: does it contain information about the public? (probably) … is it the system of record? (maybe?) … etc.

Q: What about taking pictures with cell phones for files?
If the pictures are transferred elsewhere for storage I would say you can probably skip listing the phone operating system.

Q: What about contractors that maintain public billing information?  Do we list those contractors on the agency catalog?
You do not need to list the software that your contractors use.

Q: Would photos of infrastructures (levees,ditches or damages) be data collected about the public?    
Absolutely, since the infrastructure is public property or property managed by the district with taxpayer dollars. Unless there is a valid security concern, which you'd find by checking the exclusions.

Q: One of our contractors has provided us with its catalog.  Do we need to list our contractors somewhere?    
Nope, we don’t believe that you do.


----------------------------------


As always, please feel free to email your questions or ideas for improvements to us at info@getstreamline.com - we love to hear them, and to answer when we can. 

You can also reach us at (916) 900-6619 if you just want to chat. :)

/s