NEW CORI REGULATIONS ISSUED, CHANGING EMPLOYER OBLIGATIONS FOR OBTAINING CRIMINAL RECORD INFORMATION

by Employment Attorney Leslie Lockard
The Law Office of Leslie Lockard, P.C.
P.O. Box 537
Walpole, MA 02081
Tel. 508 850-9800
FAX 508 850-9801
Email: Llockard@leslielockard.com
Website: www.LeslieLockard.com
April 28, 2017

The Massachusetts Department of Criminal Justice Information Services (DCJIS) recently issued amended regulations which establish some additional requirements for employers who obtain criminal record information about job applicants or employees. In 2012, the DCJIS had issued regulations in connection with comprehensive reform of the state “criminal offender record information” (CORI) system. The 2012 regulations set forth detailed rules and procedures employers must follow if they, or a consumer reporting agency (CRA) on their behalf, seek CORI about employees or applicants through the DCJIS online CORI system. Some of the regulations also apply to employers who obtain “criminal record information” from sources other than the DCJIS CORI system. For example, the 2012 regulations require employers to have a written criminal record information policy if they annually conduct five or more criminal background searches, whether the information comes from the state CORI system or from other criminal record information sources.

Some of changes in the regulations most significant for private employers are the following:
  1. VOLUNTEERS, CONTRACTORS, SUBCONTRACTORS AND VENDOR PERSONNEL NOW COVERED

    The state CORI law requirements now apply not just to those who obtain criminal record information about employees and job applicants, but also to those who obtain such information about people who seek or hold positions as volunteers, subcontractors, contractors, or with vendors.
  2. NEW RULES FOR OBTAINING CONSENT FOR CORI SEARCHES

    To obtain a CORI report, an employer is required to first obtain a signed authorization from the subject of the report. There is now a revised Acknowledgement Form on the DCJIS website that employers can begin using. (Or they can incorporate that same wording into their own acknowledgement form).

    Employers must verify the identity of the subject of a CORI search by examining a government issued ID (such as a state issued license or ID card, a passport or a military ID). However, the amended regulations state that if the subject does not have a government issued ID, the employer must verify identity by examining either the subject’s birth certificate or Social Security card.

    An employer may now obtain another CORI report on the subject within one year of the subject having signed the original Acknowledgement form—as long as the employer states on the form that CORI may be requested by the employer at any time during that one year. Gone is the requirement in the original regulations that an employer must give the subject at least 72 hours’ notice before seeking a subsequent CORI report in that year.

    The amended regulations specify that employers may collect signed CORI acknowledgement forms electronically, including as part of an electronic job application process. Rather than personally inspecting the subject’s identity documentation, an employer may obtain electronically from the subject a notarized acknowledgement form.
  3. CORI CAN NOW BE RETAINED IN CLOUD STORAGE

    The original regulations prohibited employers from storage of CORI in the cloud: only hard copy and non-cloud electronic storage were permitted. The regulations stated that hard copies of CORI must be stored in a separate locked and secure location, which can be accessed only by employees approved by the employer for CORI access. As to electronic storage of CORI, the regulations require password protection and encryption, with password access limited only to CORI-access approved employees.

    The amended regulations now additionally permit cloud storage of CORI. However:
    • The cloud storage method must provide for encryption and password protection of all CORI
    • The employer must have a written agreement with the cloud storage provider, which includes the minimum security requirements published by the DCJIS concerning cloud storage. The cloud vendor agreement must be provided to the DCJIS for their inspection upon request.
  4. EMPLOYERS MUST KEEP A “NEED TO KNOW” LIST OF STAFF WHO ARE AUTHORIZED TO ACCESS CORI

    Employers must now keep a “Need to Know” list of staff who have been authorized to request, receive or review CORI. This list must be updated periodically, at least every six months. Upon request, the list must be made available to the DCJIS, or to a CORI subject, or to the subject’s advocate.
  5. AMENDMENT TO NOTIFICATION REQUIREMENTS BEFORE AN ADVERSE ACTION CAN BE TAKEN BASED ON CORI, OR CRIMINAL RECORD INFORMATION FROM ANOTHER SOURCE

    The original regulations required that employers provide certain information and documentation before deciding not to hire, or taking other types of adverse actions, based on the subject’s CORI, or other criminal record information obtained from any other source. For example, the employer must notify the subject of the potential adverse action, provide a copy of the CORI or other criminal record information, identify the source of information obtained from a source other than the state CORI system, and provide a copy of the employer’s CORI Policy. The amended regulations clarify that employers must identify the specific information that is the basis for the potential adverse action, not only in the subject’s CORI report, but also if the criminal record information comes from another source.
-----------------------------------------------------------------------------------------

Private employers will need to incorporate the new regulatory requirements into their criminal record check procedures. In addition, they may need to update their written criminal record check policies to the extent that their current policy wording is inconsistent with the new requirements.







Testimonials

"You are very easy to work with and your helpful and optimistic attitude is greatly appreciated".


 

Contact Info

Attorney Leslie Lockard
The Law Office of Leslie Lockard, P.C.
P.O. Box 537
Walpole, MA 02081
Tel. 508 850-9800
FAX 508 850-9801
Email: Llockard@leslielockard.com
Website: www.LeslieLockard.com