CPRA Guide – Public Agencies
Welcome to the Open Information Collective’s guide to the California Public Records Act for governmental agencies! This guide is primarily designed for very small state agencies (who should still seek advice from any relevant state legal departments) and for local agencies at any level.
If you’re looking for how to handle a request you’ve received, look at the “How to Handle a Request” section. If you need more specific details, the rest of this guide has statements on more specific issues that can come up. If you have more questions, you can always contact the Open Information Collective for more information; please do note that, while we follow general practice for the California Public Records Act, some parts of the Act are in dispute, and your internal policy may require you to take actions we believe violate the Act. Also please note that, while we recommend agencies follow the procedures outlined in this guide, this guide is not legal advice, and the Open Information Collective is not legal counsel for any public agency.
To review the citations in this guide, as well as to view all obligations under the Act, please review Division 10 of Title 1 of the California Government Code.
IMPORTANT NOTE: Starting January 1, 2023, the California Public Records Act was recodified to use Sections 7920.000-7931.000 of the Government Code; it was previously under Sections 6250-6270. This guide will use the new section numbers, as they are the applicable law; however, many internal documents, reference guides, and requests from individuals will use the old section numbers. The effect of the law is no different, and any claim valid under one set is valid under the other; you can view a translation/disposition table for the section numbers here.
How to Handle a Request
Who handles a request?
Everyone in a public agency needs to know one primary detail of handling a request: getting it to the proper authority. Some public agencies are so small that anyone can handle a records request. Some agencies may have designated policies for who handles requests, and those people should handle all requests. Some agencies don’t have a standard set up, or the standard may not be clear/communicated to employees.
If you receive a request, and you are not the primary person at your agency who handles requests, you need to determine who that person is as soon as possible. The onus to send requests to the correct individual is not on the requester, but on the agency. If you are the person at your agency who handles requests, skip to the next section.
In larger agencies, a specific individual may be given a title like “Records Access Officer”; if no such individual exists, common departments for handling requests are often “Business Services” departments. If the agency does not have a department that seems appropriate for handling requests, Human Resources is often an acceptable department to forward a request to.
In smaller agencies, there often isn’t a clear departmental structure or individual to send a request to. In that case, the usual recommendation is to send the request to the highest-level individual in the agency, or their secretary/assistant. Sometimes, they will directly handle the request; if not, they will pass it off to the appropriate individual.
Time is of the essence, so do not delay passing off a request. If you are not an employee of the agency tasked with handling records requests, it is not your responsibility to handle a request; passing the request upwards is always an acceptable way to handle the situation. However, you do have a responsibility, both to the requester and to your agency, to pass the request on as soon as possible. This minimizes delays for the requester, and prevents potential future liabilities for the agency.
What is a request?
This isn’t just a section for definitions; determining the type and means of the request is critically important.
There are two main types of requests. If someone comes in and demands to browse through copies of records, that request is taken under GOV 7922.525, and for this guide, will be referred to as a “525”. This is far less common than requests under GOV 7922.535, referred to in this guide as a “535”.
525s are simple enough to deal with that they only need one paragraph. When someone comes in and requests to browse your documents, you must allow them to look for documents; if you want to pre-filter them, that’s fine, but taking an unreasonable amount of time to do so (more than a few hours) is completely unreasonable. What most agencies do, and what the OIC recommends, is allowing individuals to go look for documents, and then upon finding a document they want to view, determining whether the document is disclosable (and whether anything on the document needs to be redacted).
The rest of this guide pertains to 535s. A 535 is any request “for a copy of records” submitted by an individual; the key difference being the word “copy”. While a 525 request is just browsing through the records that exist, a 535 request is about creating a copy of the documents. This used to involve the physical work of copying documents once the agency searched for them; now, as most documents are electronic, the workload is shifted to searching.
A 535 request can be sent over any medium. This includes, but is not limited to, emails, phone calls, verbal conversations, and physical letters. It can also be received by any member of the agency, and the clock starts the second it is received in any form; for email, it starts on the day the email was sent, not the date it was first open. Those two principles are sometimes referred to as the “virality doctrine”. While the individual does need to specify what the request is about, this doesn’t need to be in writing; just speaking to someone at the agency is sufficient to get the request going. While there isn’t as much case law on alternative mediums, if it is possible to read and respond to a request through another medium, you should do so; for instance, a request over Instagram direct messages is likely legitimate.
You cannot require that an individual send a request over a specific medium, using a specific format, or make it in a specific way. While you may create forms to make processing requests easier (which we don’t recommend – see the Tips section), these cannot be mandatory for individuals to use. You also cannot require that an individual send the request to a specific person in the agency; the clock begins ticking as soon as any employee of the agency receives the document.
How do I know what to look for?
All valid requests under the California Public Records Act must contain a clear description of the records being searched for. A request may search for more than one record, or even more than one category of record. While most requests will likely just be for a single document, some requests historically have been for thousands of documents, totaling tens of thousands of pages of information.
As long as there is some description of the records being looked for, you must take that description and search for records with it. If the description is not interpretable, or the individual doesn’t provide a description, you are obligated under GOV 7922.600 to provide assistance to the individual in making their request. The clock doesn’t start until there is a clear request; however, as soon as one exists, it does, and if you falsely interpret a request as not being clear enough, you may be liable if you exceed the time limits.
This will likely require lots of coordination with different departments of your agency. Make sure to continually follow up and demand documents be provided to you as soon as possible; delaying a request is a significant issue.
You cannot charge any fees to search for documents; these are entirely illegal under all circumstances.
What are the time limits?
The time limits are a critical part of the California Public Records Act. You must provide all of the documents in a request within ten calendar days. It doesn’t matter if the request was made or the time period ends on a non-working-day, even a state holiday; if your office does not work on the end date of a request, you should process the request before the last day of work.
Under some circumstances, you can delay handling a request. These are specified in GOV 7922.535(c), and are typically about physical delays that would be impossible to overcome otherwise. Do not use these delays lightly; they are intended only for emergency situations, and are extremely limited in scope. If you have any doubts as to whether a delay applies, do not apply it. If you are going to apply a delay, it can be no more than 14 calendar days from the end of the 10-day period; however, you must honestly assess how much time is required, and make a legitimate determination of the extra time needed.
If there is no reason to delay processing a request, it should be processed as soon as possible. Failing to process a request with reasonable speed, and especially intentionally delaying its processing, is illegal under GOV 7922.500; this includes delaying a request to the end of the legal periods. As an example, if all the documents in a request are gathered and evaluated by the third day of a request, they should be released on that day; it would be illegal to delay the release further.
I retrieved the documents; what next?
You now have to evaluate whether any exemptions apply to the documents. In most cases, no exemptions will apply; however, some agencies have specific limitations on disclosure, which are generally codified in Part 5 of the CPRA. Review of documents by legal counsel at this time may be recommended, and is commonly required in organizational policies.
All exemptions should be as narrowly applied as possible; that means that only records which are clearly and undeniably exempt should be withheld. There is also a general exemption principle that can be applied: a denial can be made if “on the facts of the particular case the public interest served by not disclosing the record clearly outweighs the public interest served by disclosure of the record” (GOV 7922.000). The word “clearly” is critical here; if there is any doubt, then the record should be disclosed.
For some documents, parts of the documents may not be disclosable, but the document overall would be. In those cases, those parts of the documents must be redacted, and then the documents should be deemed disclosable.
Documents were deemed disclosable; what next?
An individual has the right to receive documents in the original medium, or to request translation of the document to another medium.
If the document is digital, and the requester desires a digital copy (when not specified, this should be presumed), the document must be provided digitally at no charge.
If the document is digital, and the requester desires a physical copy, the agency may elect (and should, unless the agency has no printing services in any form) to print the documents for the requester. This is a common service recommended for accessibility of documents to those without technological access or skills. An agency may charge the exact costs of printing the documents, but no more; it is recommended that, unless the order is large and would cause a burden to the agency, that printing costs be waived. The requester also has the right to use their own printing equipment; however, this is effectively equivalent to providing a digital copy to the requester.
If the document is physical, and the requester desires a digital copy, the document should be scanned. The agency may charge the physical costs of scanning the document, but the requester has the right to use their own scanning equipment on the original (with rare exceptions not applying to most agencies).
If the document is physical, and the requester desires a physical copy, a photocopy – using either the agency’s equipment (using the same fees policy described previously) or the requester’s equipment (at no charge) should be used.
In any case with physical documents, the individual has the right to inspect the documents as if they were pulled using a 525, coming to the agency’s physical office and observing them without copying them (or copying them using their own equipment).
Documents were deemed nondisclosable; what next?
The first duty you have is to list all exemptions that were used, and explanations why. The explanation is critical if the catch-all (“public interest”) is used. You should then offer under GOV 7922.600(a)(3) suggestions for narrowing the request, or other ways of overcoming the denial.
You must list the names and titles/positions of every individual who was involved in denying the request – this includes yourself, as well as anyone you consulted with on the request who recommended denial. The exact requirements for this, as well as the list of exemptions, come from GOV 7922.540.
There is the possibility the requester could bring legal action against the agency. Thus, denying disclosure should never be done lightly.
Further Provisions
There are many other things for agencies to be aware of when handling requests.
Identity, Residency, and Intention Protection
No one has to identify themselves in a request, except to the minimum amount necessary to process the request (such as leaving return contact information for a 535). While you can ask for information, it should be clear that providing it is not required, and sensitive information (addresses, for instance) should not be requested.
You cannot discriminate against a requester based on any category, including California residency. You are obligated to handle all requests the same, even if the requester is making the request from another state or from another country. You cannot prioritize requests based on whether someone is a California resident or not; requests should be handled in the order they were received.
You cannot discriminate against a requester based on their intentions for making the request. The only time in which it is appropriate to ask someone for their intentions behind the request is if you are offering assistance in creating the request under GOV 7922.600, and even then, providing the intentions should not be made mandatory. If a requester states their intentions in the request, those intentions should not under any circumstances be used to change how the request is handled.
Agencies Covered
Almost all public agencies in the State of California are covered. This includes state agencies, local agencies, boards, special districts, and more. The primary exceptions are the State Legislature and the court systems, each of which have their own special records laws.
Some agencies have specific exceptions by which they can deny most requests; however, these are typically hyperspecialized, such as the California Victim Compensation Board. Schools, police departments, sheriff’s agencies, and others are not exempt from the California Public Records Act, and while they often have more documents which are exempt, a large quantity of documents are not.
Voluntary Disclosure
Some types of records are not prohibited from disclosure, but are rather just not required to be disclosed. Under GOV 7921.500, an agency may choose to disclose those documents. The Open Information Collective highly recommends that public agencies disclose non-prohibited documents, as they often serve critical purposes for public information and transparency.
Personal Information Redactions
There are varying opinions on what personal information of government officials must be redacted from reports. In general, if the information exists somewhere in another record disclosed by the agency, on an agency website, or in some other release to the public by the agency, that information should be released. Names should almost never be redacted, unless a specific exemption applies (such as protecting the anonymity of an individual reporting sexual harassment). Social security numbers must be redacted under all circumstances, pursuant to GOV 7922.200. There are also other restrictions in most cases for some other types of identifying information, including home addresses, some telephone numbers, and birthdates, pursuant to GOV 7928.300.
External Records Handling Agencies
An agency may hire platforms to facilitate making easier requests; however, individuals must still be able to send requests directly. An agency may not contract with an outside company to handle the requests, pursuant to GOV 7921.005. Further, selling or transferring original copies of records to another agency in a way that prohibits it from being disclosed by the originating agency itself is prohibited pursuant to GOV 7921.010.
“Open Data” Collections
If an agency maintains an “open data” collection (some specific agencies are required to do this, but other agencies may elect to in order to foster public transparency), there are requirements that said collection must follow, listed in GOV 7922.680.
“Enterprise Systems” Catalog
All agencies are required to maintain a catalog of the “enterprise systems” that they use, pursuant to GOV 7922.710(a), and update it annually pursuant to GOV 7922.710(b). An enterprise system is defined as anything that collects, stores, exchanges, and analyzes agency information, is either multi-departmental or contains information about the public, and is a system for maintaining records/information. The full definition is contained in GOV 7922.700.
If the agency has a website, that website must prominently (in an obvious and clear location) feature the enterprise systems catalog, pursuant to GOV 7922.715(b).
The information that must be provided in the catalog is defined in GOV 7922.720.
Employment Contracts
Except in the rare cases in which a contract may be exempt under FERPA (a disputed exemption which is rarely applied) or other federal law, pursuant to GOV 7928.400, employment contracts are immune from almost all exemptions, and must always be disclosed.
Tips/Recommendations
Don’t break the email chain! It’s become commonplace for agencies to send responses to requests in separate emails, or when an individual has made multiple requests, to merge email chains. This makes it much more difficult for requesters to track their requests. All communications should happen as one, linear, continuous email chain (always reply all, and only to the most recent email).
Don’t use forms. While forms aren’t mandatory for an individual to use, most individuals aren’t aware of their rights to circumvent the forms. Psychologically, forms make an individual less likely to request records, as it is a much greater barrier. It also breaks down the two-way communication that is supposed to occur between an agency and a requester. Instead, clearly indicate an email address as the preferred way to receive requests; this can either be a dedicated inbox, such as publicrecords@agencyname.tld, or the direct email address of the primary individual responsible for handling the request. Also be sure to provide alternate methods of sending requests, including the agency’s mailing address and phone numbers.