This is a case involving a public sector employer and the Public Records Act. It may someday be relevant to private sector employers and “bring your own device” policies, as well as private sector employees’ privacy interests. Thus, the California Supreme Court noted, in a unanimous opinion written by Justice Corrigan:
This case concerns how laws, originally designed to cover paper documents, apply to evolving methods of electronic communication. It requires recognition that, in today‟s environment, not all employment-related activity occurs during a conventional workday, or in an employer-maintained workplace.
However, the decision is primarily about a statute, the Public Records Act, and Constitutional guarantees of open government. Therefore, the primary audience for this case is the public sector employer and its employees.
The Court framed the legal issue as follows:
The issue is a narrow one: Are writings concerning the conduct of public business beyond CPRA‟s reach merely because they were sent or received using a nongovernmental account?
The Court’s answer is:
[N]o. Employees‟ communications about official agency business may be subject to CPRA regardless of the type of account used in their preparation or transmission.
By way of background, here’s the posture of the case per the Court:
Ted Smith requested disclosure of 32 categories of public records from the City of San Jose, its redevelopment agency and the agency‟s executive director, along with certain other elected officials and their redevelopment efforts in downtown San Jose and included emails and text messages “sent or received on private electronic devices used by” the mayor, two city council members, and their staffs. The City disclosed communications made using City telephone numbers and email accounts but did not disclose communications made using the individuals‟ personal accounts.
Smith sued for declaratory relief, arguing CPRA‟s definition of “public records” encompasses all communications about official business, regardless of how they are created, communicated, or stored. The City responded that messages communicated through personal accounts are not public records because they are not within the public entity‟s custody or control. The trial court granted summary judgment for Smith and ordered disclosure, but the Court of Appeal issued a writ of mandate. At present, no documents from employees‟ personal accounts have been collected or disclosed.
The Court discussed the text of the Public Records Act:
We begin with the term “public record,” which CPRA defines to include “any writing containing information relating to the conduct of the public‟s business prepared, owned, used, or retained by any state or local agency regardless of physical form or characteristics.” (§ 6252, subd. (e); hereafter “public records” definition.) Under this definition, a public record has four aspects. It is (1) a writing, (2) with content relating to the conduct of the public‟s business, which is (3) prepared by, or (4) owned, used, or retained by any state or local agency.
The crux of the issue (apart from “writing”) was whether emails and texts on personal devices were “prepared by, or (4) owned, used, or retained by any state or local agency.”
Relying on an analogous provision in the federal Freedom of Information Act, FOIA, the Court held:
We likewise hold that documents otherwise meeting CPRA‟s definition of “public records” do not lose this status because they are located in an employee‟s personal account. A writing retained by a public employee conducting agency business has been “retained by” the agency within the meaning of section 6252, subdivision (e), even if the writing is retained in the employee‟s personal account.
The Court was mindful of the possibility that people will seek private information under the guise of the Public Records Act:
We clarify, however, that to qualify as a public record under CPRA, at a minimum, a writing must relate in some substantive way to the conduct of the public‟s business. This standard, though broad, is not so elastic as to include every piece of information the public may find interesting. Communications that are primarily personal, containing no more than incidental mentions of agency business, generally will not constitute public records. For example, the public might be titillated to learn that not all agency workers enjoy the company of their colleagues, or hold them in high regard. However, an employee‟s electronic musings about a colleague‟s personal shortcomings will often fall far short of being a “writing containing information relating to the conduct of the public‟s business.” (§ 6252, subd. (e).
The City made a number of arguments regarding its duty to find and disclose communications initiated or maintained on private accounts. The court was unpersuaded, finding that the Constitutional guarantee of open records and the Public Records Act demonstrated a robust public policy in favor of disclosure that outweighed the burdensomeness to the government, as well as any privacy interest in work-related communications stored on personal devices. The Court was unimpressed by the argument that government officials should have the right to use personal devices to conduct government business without the potential for intrusion:
The City‟s interpretation would allow evasion of CPRA simply by the use of a personal account. We are aware of no California law requiring that public officials or employees use only government accounts to conduct public business. If communications sent through personal accounts were categorically excluded from CPRA, government officials could hide their most sensitive, and potentially damning, discussions in such accounts. The City‟s interpretation “would not only put an increasing amount of information beyond the public‟s grasp but also encourage government officials to conduct the public‟s business in private.”
The Court was likewise skeptical of the argument that government officials act in good faith and, therefore, should be able to keep public business out of the scope of the Public Records Act by using personal devices:
It is no answer to say, as did the Court of Appeal, that we must presume public officials conduct official business in the public‟s best interest. The Constitution neither creates nor requires such an optimistic presumption. Indeed, the rationale behind the Act is that it is for the public to make that determination, based on information to which it is entitled under the law. Open access to government records is essential to verify that government officials are acting responsibly and held accountable to the public they serve. (CBS, Inc. v. Block (1986) 42 Cal.3d 646, 651.) “Such access permits checks against the arbitrary exercise of official power and secrecy in the political process.” (Ibid.) The whole purpose of CPRA is to ensure transparency in government activities. If public officials could evade the law simply by clicking into a different email account, or communicating through a personal device, sensitive information could routinely evade public scrutiny.
So, at least in California, one does not escape a records act request by, say, setting up a private server, or conducting public business via email on a non-government domain. I’ll say nothing more on this I promise.
Regarding public sector employers, the Court realized that there will be burdens associated with the ruling. But the Court pointed to a number of statutory exceptions in the Public Records Act, and also cited to court decisions limiting the public employer’s obligations to gather data. For those interested, they are detailed in the opinion.
As far as private sector employers go, although the opinion does not impose new obligations on private sector employers, there are some take-aways here.
First, employees’ privacy rights are balanced against other legal rights. For example, there are laws concerning discovery of electronic data that may and do extend to personal devices in litigation. Courts will not exempt employees’ private devices from discovery if there is a reasonable chance of discoverable information. Therefore, employers with Bring Your Own Device programs should ensure there are ways to capture work-related communications. Discovery “holds” may extend to data on these devices, when the employer knows they are in use for business reasons.
Second, employers may decide what sort of business information may be transmitted on non-work-related email servers and electronic media that are not within the Company’s control.
Third, employers should train IT and management about its obligations to preserve business-related data when litigation occurs.
This case is City of San Jose v. Superior Court (Smith) and the opinion is here.