SB 272 Enterprise System Catalog
Approved on October 11, 2015, adds a section to the California Public Records Act requiring local agencies to create a Catalog of Enterprise Systems by July 1, 2016 with annual updates.
ENTERPRISE SYSTEMS
A software application or computer system that collects, stores, exchanges and analyzes information that the agency uses that is both of the following:
- A multi-departmental system or a system that contains information collected about the public.
- A system that serves as an original source of data within an agency.
An Enterprise System does not include any of the following:
- Information Technology security systems, including firewalls and other cybersecurity systems.
- Physical access control systems, employee identification management systems, video monitoring and other physical control systems.
- Infrastructure and mechanical control systems, including those that control or manage street lights, electrical, natural gas or water or sewer functions.
- Systems related to 911 dispatch and operation or emergency services. Systems that would be restricted from disclosure by Section 6254.19.
The specific records that the information technology system collects, stores, exchanges or analyzes.
REQUIREMENTS
1. Create a catalog of enterprise systems, containing:
- Current system vendor
- Current system product
- System's purpose
- A description of categories or types of data
- The department that is the prime custodian of the data
- The frequency that system data is collected
- The frequency that system data is updated
2. To make the catalog publicly available upon request
3. To post the catalog in a prominent location on the agency's website
EXCEPTIONS
1. Enterprise systems do not include cybersecurity systems, infrastructure and mechanical control systems. For these and for disclosable Enterprise systems no information that would reveal vulnerabilities to, or otherwise increase the potential for an attack on, a public agency's IT system shall be disclosed.
Additionally, section 6270.5 does not automatically require disclosure of the specific records that the IT systems collect, store, exchange or analyze, however, the Act's other provisions pertaining to disclosure of such records still apply.