California Supreme Court Rules that Public Business Conducted on Personal Devices Result in Public Records

by Nossaman LLP
Contact

Nossaman LLP

In a major development impacting all public entities subject to the California Public Records Act (Gov. Code § 6250 et seq., hereafter “CPRA”), on March 2, 2017, the California Supreme Court unanimously held that public officers’ and employees’ communications on personal devices and nongovernmental accounts concerning “the conduct of public business,” are public records.  As such, they are subject to disclosure in response to a CPRA request, unless a specific statutory exemption applies.  City of San Jose et al. v. Superior Court of Santa Clara County (Mar. 2, 2017, S218066).  Such devices, include, but are not limited to, personal cell phones, personal computers, and personal email accounts.

In so concluding, the Court observed, “in today’s environment, not all employment-related activity occurs during a conventional workday, or in an employer-maintained workplace.”  The Court contrasted the context in which the Legislature first enacted the CPRA in which the distinction between “writings” subject to the disclosure were “fairly formal and focused on the business at hand,” and the present.  “Today, these tangible, if laborious writing methods have been enhanced by electronic communication.  Email, text messaging and other electronic platforms, permit writings to be prepared, exchanged, and stored more quickly and easily.”  However, the Court commented, “the ease and immediacy of electronic communication has encouraged a commonplace tendency to share fleeting thoughts and random bits of information, with varying degrees of import, often to broad audiences.”  As a result, “the line between an official communication and an electronic aside is now sometimes blurred.”   

Nevertheless, the Court maintained that the relatively broad statutory definition of a public record under the CPRA did not support the lower court of appeals’ conclusion that communications from private devices were exempt from CPRA disclosure.  Instead it analyzed the following statutory predicates for CPRA coverage and reached the opposite conclusion.  The four aspects of a public include the following: “It is (1) a writing, (2) with content relating to the conduct of the public’s business, which is (3) prepared by, or (4) owned, used, or retained by any state or local agency.” 

As to the first element, the Court reached the already commonly understood conclusion that emails, text messages, and other electronic platforms are “writings” under the CPRA.  The second element raised more difficult issues because, as the Court noted, “The overall structure of the CPRA, with its many exemptions, makes clear that not everything written by a public employee is subject to review and disclosure.”  After reciting examples of writings that would “likely not be a public record,” such as an email to a spouse “complaining ‘my coworker is an idiot,’” the Court clarified that to qualify as a public record under the CPRA “a writing must relate in some substantive way to the conduct of the public’s business.”  Though this standard is “broad,” it “is not so elastic as to include every piece of information the public may find interesting.  Communications that are primarily personal, containing no more than incidental mentions of agency business, generally will not constitute public records.”

Defendant City of San Jose’s primary statutorily-based challenge to the extension of the CPRA to communications on private devices, and thus another focus of the Court’s opinion, were on third and fourth elements of CPRA coverage requiring that the writing be “prepared, owned, used, or retained by any state or local agency.”  The Court focused on the disjunctive term “or,” and noted that “In focusing its attention on the ‘owned, used, or retained by,’ aspect of the ‘public records’ definition,” the analysis “ignores the ‘prepared by’ aspect.” Instead, the Court concluded that because agencies operate through their officers and employees who will have “prepared” the records that relate to the conduct of public business, they are subject to CPRA disclosure if they are in the “agency’s actual or constructive possession.”  “Documents otherwise meeting CPRA’s definition of ‘public records’ do not lose this status because they are located in an employee’s personal account.”  “The statute’s clear purpose is to prevent an agency from evading its disclosure duty by transferring custody of a record to a private holder and then arguing the record falls outside CPRA because it is no longer in the agency’s possession.”  A document’s status as public or confidential does not turn on the arbitrary circumstance of where the document is located; specifically, the Court stated “a city employee’s communications related to the conduct of public business do not cease to be public records just because they were sent or received using a personal account.”

Thus, the Court refused to adopt a categorical exclusion of documents from CPRA’s definition of “public records” merely because they exist on personal accounts.  “If public officials could evade the law simply by clicking into a different email account, or communicating through a personal device, sensitive information could routinely evade public scrutiny.”  Acknowledging individual privacy concerns, the Court noted that they should be addressed on a “case-by-case basis,” and described certain existing statutory exemptions of “certain types of preliminary drafts, notes and memoranda (§6254, subd. (a)), personal financial data (§6254, subd. (n), personnel and medical files (§6254, subd. (c)), and material protected by evidentiary privileges (§6254, subd. (k)).”  Finally, the Court commented that CPRA already includes a catchall exemption that allows withholding records if the public interest in withholding “clearly outweighs” the public interest in disclosure, permitting a “balance between the public’s interest in disclosure and the individual’s privacy interest. [Citation omitted.]” 

Due to the potential complexity and time-sensitivity in responding to CPRA requests, public agencies should note the Court’s practical guidance on how to conduct searches of writings on private devices while balancing individual privacy.  When responding to a CPRA request, the “agency’s first step should be to communicate the request to the employees in question.  The agency may then reasonably rely on these employees to search their own personal files, accounts, and devices for responsive materials.”  The Court also provided that agencies may also adopt policies that will reduce the likelihood of public records being held in employees’ private account, such as requiring all employees to use or copy their government accounts for “all communications touching on public business.”  The Court further noted that federal courts applying the Freedom of Information Act (“FOIA”) have “approved of individual employees conducting their own searches and segregating public records from personal records, so long as the employees have been properly trained in how to distinguish between the two.”  The Court endorsed the Washington Supreme Court’s recent adoption of this procedure under its state public records law, “holding that employees who withhold personal records from their employer ‘must submit an affidavit with facts sufficient to show the information is not a ‘public record’ under the PRA.  So long as the affidavits give the requester and the trial court a sufficient factual basis to determine that withheld material is indeed nonresponsive, the agency has performed an adequate search under the PRA.’ [Citation omitted.]” 

Ultimately, the Court does “not hold that any particular search method is required or necessarily adequate.  We mention these alternatives to offer guidance on remand and to explain why privacy concerns do not require categorical exclusion of documents from personal account from CPRA’s ‘public records’ definition.”  And, now, the matter returns to public agencies of California and their public officers and employees with the admonition that use of private devices for the conduct of public business now carries far more potential burdens than previously understood by many.  Those seeking to avoid that burden may be well served to eliminate the use of private devices for communications pertaining to work in the future, except perhaps to the extent that such communications are to or from, or always copied to, accounts on their agency’s server.

Written by:

Nossaman LLP
Contact
more
less

Nossaman LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):
hide

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.

Security

JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.