By Jeffrey A. Roberts
CFOIC Executive Director
Senate Bill 17-040 is about clarifying the public’s right to obtain digitized government records in useful file formats that make it easier to analyze the information contained in those records.
It’s about getting a spreadsheet instead of a printout of a spreadsheet. It’s about getting a comma-separated values file instead of a giant PDF. It’s about better access to records that, according to the Colorado Open Records Act (CORA), must be made available for public inspection.
But as passed by the Colorado Senate last week, the bill is now about other things as well.
It’s about cybersecurity, water supplies, Colorado’s judicial branch, personal safety, licensing agreements and the withholding of data about data.
The bill, according to its legislative declaration, “makes no changes to what public records are available for, or protected from disclosure.” But with the Senate’s amendments, that statement no longer seems accurate. Some of the changes could be broadly interpreted to close public records that currently are open.
For those of you keeping score at home – or in a newsroom – here’s a rundown of the current version of SB 17-040, which will be heard in the House Finance Committee some time in April.
Provisions from the introduced version of the bill:
File format. If public records are stored as structured data – in a spreadsheet or a database – a requester is entitled to a copy of those records in a structured data format. If public records, such as emails, are stored in some other searchable format, the requester is entitled to the records in a searchable format. Emails might be provided as a searchable PDF, for instance.
Custodian options. If it is not “technologically or practically feasible” to produce records in the requested format, a records custodian must explain the reason in writing and make the records available in an alternate format. If a court subsequently rules that the records should have been provided in the requested format, attorney fees may be awarded only if the custodian’s action was “arbitrary and capricious.”
Redaction. The removal of any information not disclosable under CORA does not constitute the creation of a new public record. This provision is important because some custodians have withheld public records, including entire spreadsheets and databases, claiming they are not required to redact confidential information in order to release non-exempt portions.
Fees: If redaction is required, such as the excising of fields of confidential information, a custodian may charge the requester CORA’s research-and-retrieval fee (currently set at a maximum of $30 per hour after the first hour). A custodian is allowed to charge “actual or incremental costs” if programming, coding or custom search queries are required to create a public record in response to a request.
No misdemeanor. The legislation deletes a long-standing penalty (up to 90 days in jail and a $100 fine) for anyone who “willfully and knowingly” violates CORA. Lawyers who have worked on open-records cases for many years cannot recall anyone ever being prosecuted for violating CORA (although the Denver District Attorney is currently investigating the Denver Police Department for an alleged violation of the criminal justice records law).
New provisions added in the Senate:
Infrastructure security. The definition of “public records” in CORA would exclude infrastructure security data, described as “any record the disclosure of which could endanger public safety or the operation of critical infrastructure.” Under this broad amendment, any such record would no longer be subject to CORA requests, even if it also contains information that is disclosable under the open-records law.
Critical infrastructure includes, for example, bridges, tunnels, dams, water treatment supplies, airports, railways and public buildings. If a records custodian withholds a record on the grounds that it contains infrastructure security data, he or she must provide the requester with a written explanation, copies of which are forwarded to Colorado’s attorney general and the state Division of Homeland Security.
A requester who sues for access must prove that the record does not meet the definition of infrastructure security data. Everywhere else in CORA, records are presumed to be open for public inspection unless the government can show that an exemption applies.
The sponsor of the infrastructure amendment, Sen. Jerry Sonnenberg, R-Sterling, called it “simply a security-type issue.” But the language could be interpreted to withhold records currently available to the public, such as a database recently analyzed by FOX31 which showed that 142 active dams in the state flunked their latest inspection.
The legislature addressed infrastructure data security after the 9-11 attacks, allowing records custodians to withhold portions of records that contain “specialized details of security arrangements or investigations.”
Cybersecurity and metadata. Records custodians would not be required to release metadata, even though the bill doesn’t define the term “metadata.” Wikipedia defines it as “information about other data.”
If metadata is not defined in the bill, a requester could be prevented from obtaining records needed to properly understand the information kept in a relational database, a spreadsheet or a mapping shapefile. This can include, for instance, a data dictionary or a record layout. For mapping files, metadata describes the coordinate system and any demographic information included in attribute columns.
Another new section of SB 17-040 allows records custodians to withhold software programs, source documentation, database schema, database design structures and the terms and conditions of any license agreement. CORA already excludes computer software from its definition of public records, but concerns about the withholding of database schema and design structures are similar to those regarding the withholding of metadata.
This provision could allow governments to deny requests for lists of databases, a description of the content of databases or codes used in databases. The “terms and conditions” provision could let a government hide contracts such as a new $6.1 million agreement between Denver and a company that will provide database management software for city departments.
Personal security. Any current or former public employee could ask to have his or her home address, personal telephone number or other identifying information withheld from public records produced in a structured data or searchable format.
If the employee explains in writing why the disclosure of such information poses a credible safety risk, the information would be redacted from the data or the records custodian would deny inspection of the records.
This provision replaced a much broader committee amendment to SB 17-040 that would have allowed the withholding of “any records the inspection of which is reasonably likely to compromise the safety or security of any natural person.”
Judicial branch. The terms “state” and “agency” are redefined to include the judicial branch of state government.
This amendment may have more of a political impact than a practical one. Added by Senate Republicans, it is intended to make the judicial branch subject to CORA, a concept that Democrats (who control the House) defeated earlier this session and last year.
The branch’s administrative records are exempt from CORA requests because of two Colorado court rulings, most recently Gleason v. Judicial Watch in 2012. But merely declaring the branch subject to the open-records law likely would have no effect because the Colorado Supreme Court has adopted rules governing access to the judiciary’s records, and CORA prohibits the disclosure of records protected by court rules.
Visit CFOIC’s legislature page to track bills in the General Assembly that could affect the flow or availability of information in Colorado.