Massachusetts issued the Final Regulations pertaining to both employers and Consumer Reporting Agencies’ use of Criminal Offender Record Information (CORI).
Employers have several requirements they must adhere to whether running a statewide criminal history search through the iCORI system, or using a county or federal criminal history search.
To obtain access to Standard or Required Access CORI (Massachusetts Statewide criminal checks) employers must register for and renew on an annual basis an iCORI account. To register for an iCORI account, an employer must provide: (1) Identifying information regarding the individual user and the business required by DCJIS; and (2) Information regarding the purpose for requesting CORI, including any statutory, regulatory or accreditation requirements that mandate CORI or criminal history screening.
CORI Acknowledgment Form
For each Standard or Required Access CORI requested, an employer must submit a CORI Acknowledgment form for each applicant. This form is separate from the required disclosure and authorization under the Federal Fair Credit Reporting Act. Employers must also verify the identity of the applicant by examining a government-issued identification. CORI Acknowledgment Forms are valid for one year from the subject having signed the form, or until the conclusion of the subject's employment (whichever comes first). The employer may submit a new CORI request within one year of the subject's having signed the original CORI acknowledgment form, provided the requestor givens written notice to the subject at least 72 hours before submitting the request. If an applicant then objects to the new request for CORI, the CORI acknowledgment form becomes invalid.
An employer must maintain a CORI policy if five or more criminal background investigations – whether CORI or any other source such as county or federal checks – are conducted. This written CORI policy must meet the minimum standards of the DCJIS model CORI policy.
Secondary Dissemination Law
Employers must maintain a secondary dissemination log for a period of at least one (1) year following dissemination of an individual’s CORI, which includes: individual’s name; individual’s date of birth; dissemination date and time; name of person to whom the information was disseminated and the specific reason of dissemination.
There are two separate adverse action processes outlined by the Final Regulations. Overall these two processes are relatively similar. Both require the employer to: Comply with applicable federal and state laws and regulations; notify the individual in person, by telephone, fax, or electronic or hard copy correspondence of the potential adverse employment action; provide a copy of the individual’s CORI record to the individual (or a copy of the individual’s criminal history information to the individual including the source of the other criminal history information); provide a copy of the employer’s CORI policy ; provide the individual with the opportunity to dispute the accuracy of the information; provide the individual with a copy of DCJIS information regarding the process for correcting CORI (or other criminal records) and document all steps taken to comply with these requirements. One important distinction: if employers are considering taking adverse action based on CORI, they must identify the specific CORI information that is the basis for such action.
Storage, Retention and Destruction
CORI data cannot be retained by employers for than seven (7) years from the date of employment or volunteer service, or from the date of the final employment decision of the requester regarding the applicant – whichever occurs later. The Final Regulations stipulate the requirements for both hard copy data and electronically stored CORI. CORI data may not be stored in a public cloud.