New Changes to Massachusetts CORI Regulation

By Michael Klazema on 5/24/2017

In May of 2012, Massachusetts passed the Criminal Offender Record Information (CORI) law which regulates how employers conduct criminal history checks. Most recently, the Massachusetts Department of Criminal Justice Information Services (DCJIS) issued amended CORI regulations that will require employers to modify their criminal history background check procedures.

New Definitions for Employee and CORI

The new CORI regulation expands the definition of employees by including volunteers, subcontractors, contractors, vendors, and special state, municipal, or county employees as those terms are defined in M.G.L. C. 268.

The original CORI regulations did not define CORI but only listed of examples of information included and excluded from CORI. The 2017 regulation defines CORI as “Records and data in any communicable form compiled by a Massachusetts criminal justice agency which concerns an identifiable individual and relate to the nature or disposition of a criminal charge, an arrest, a pre-trial proceeding, other judicial proceedings, previous hearings conducted pursuant to M.G.L. c. 276 § 58A where the defendant was detained prior to trial or released with conditions under M.G.L. c. 276, § 58A(2), sentencing, incarceration, rehabilitation, or release.” The new definition of “criminal justice agency” appears to cover courts: “A Massachusetts agency which performs, as its principal function, activities relating to crime prevention, including the following: research or the sponsorship of research; the apprehension, prosecution, adjudication, incarceration, or rehabilitation of criminal offenders; or the collection, storage, dissemination, or usage of criminal offender record information.”  The new definition of CORI specifically excludes information related to criminal proceeding that was initiated against an individual before he or she turned 18, unless the individual is adjudicated as an adult. 

The iCORI Agency Agreement

Requestors registering for CORI access must complete the iCORI Agency Agreement which consist of the following:

  1. Requestor agrees to comply with the CORI laws and regulations;
  2. Requestor will maintain an up to date “need to know” list, and provide all staff that request, review, or receive CORI with the CORI training materials;
  3. Requestor will only request the level of CORI access authorized under statute or by the DCJIS; and
  4. Requestors are liable for any violations of the CORI laws or regulations. Individual users of the requestor’s account may also be liable for said violations.

The new CORI regulation defines the “need to know” list as staff members who have been authorized to request, receive, or review CORI. The list must be updated every six months and must be made available to the DCJIS upon request.
CORI Acknowledgment Form

The DCJIS webpage provides the Model CORI Acknowledgment Forms with the required fields of information. Employers now have the option to use the published CORI Acknowledgment Forms or incorporate the language and information provided on the forms into their application.

The DCJIS also made the following changes regarding the use and disposal of the Acknowledgment Forms:

  • Employers can now collect CORI acknowledgment forms electronically, including during an electronic application process;
  • Employers can verify a person’s identity by examining a suitable form of government-issued identification containing a photograph of the person. If the person does not have an acceptable form of government-issued identification, the employer can use the birth certificate or social security card to as another form of identification;
  • Under the 2012 CORI regulation, employers could submit a new request for a CORI check within one year of an individual having signed the Acknowledgment Form, but were also required to provide the individual with written notice at least 72 hours before submitting the request. The new CORI regulation eliminated the 72-hours written notice and now allows employers to run an additional check, provided that the employer notifies the applicant on the Acknowledgment Form that  a CORI check may be requested within a year; and
  •  CORI report and CORI Acknowledgment Forms must be appropriately destroyed by electronic or mechanical means, before disposing of, or repurposing, a computer or other device used to store CORI.

Cloud CORI Storage

Under the new regulation, CORI can be stored using cloud storage methods. In order for employers to store CORI in the cloud storage method, the employer must have a written agreement with the storage provider, and provide encryption and password protection of all CORI.

Additional Information for Pre-Adverse Action Notice

Before taking adverse action against an employment applicant or employee based on their CORI report or criminal history information obtained through DCJIS, the employer must provide the applicant a copy of their CORI report, and identify the specific information in the report that is the basis for potential adverse action. The new regulation requires employers to follow the same procedure even when the criminal history information is obtained from another source other than DCJIS. This obligation seems consistent with the federal Fair Credit Reporting Act’s pre-adverse-action notice. 

The regulations continue to require employers that conduct five or more criminal background checks to maintain a background check policy, and to provide a copy of the policy with pre-adverse action notifications.  This applies when the CORI report is obtained from DCJIS or any other source.  DCJIS has, however, limited the requirement that an employer provide DCJIS Information Concerning the Process in Correcting a Criminal Record, to those instances where CORI is considered as part of a potential adverse action. 

Obtaining CORI from Background Screening Companies

The regulation continues to allow background screening companies to obtain CORI on behalf of employers, but the companies must maintain restrictions on the storage of this information. Specifically, the regulations continue to prohibit background screening companies from electronically or physically storing CORI results, unless the background screening company is authorized by the employer to act as the decision maker. In addition, the regulation states that the employer must provide a statement to the background screening company indicating whether the annual salary of the position for which the applicant is being screened is either above or below $75,000.

In the near future, DCJIS will be publishing an updated CORI Acknowledgment Form, a Model CORI Policy, cloud storage guidelines, and the iCORI Agency Agreement.

The 2017 amended CORI regulation is available here for review:

Tag Cloud
Recent Posts

Latest News

  • May 18 In search of more personnel and considering normalization, some major employers have elected to drop pre-employment drug screens for marijuana. As the opioid epidemic continues, there is still a role for workplace drug tests.
  • May 15

    A Congressional IT contractor who is facing bank fraud, a class-action lawsuit, and allegations of cyber breach never underwent a background check. Congressional guidelines recommend background screenings but have a loophole that makes it possible to skip them.

  • May 10 Are SSN background checks essential, or even necessary? We look at what Social Security Number data can and cannot do in the background check process.
  • May 10

    In the wake of an attack in which the perpetrator used a rental vehicle to strike pedestrians, and with a growing number of such attacks around the world in recent years, rental companies must consider how to address the issue. Effective security measures have proven difficult to implement.

  • May 08 Some statistics suggest employers aren’t running international background checks. In a job market where foreign candidates are increasingly common, this oversight can be dangerous.
  • May 03

    Despite player numbers in the millions, the primary sanctioning body for youth soccer in the United States established no standard policy requiring background checks. They face legal jeopardy due to the actions of abusive coaches. 

  • May 03 Are you applying for a job with Starbucks? Here’s what to expect from the background check process.
  • May 02 — Further restrictions have been placed on employers that inquire about prior criminal records. Timeframes have been adjusted and asking about expunged records is prohibited. 
  • May 01 Uber is expanding its background check policies. Going forward, the company will incorporate repeat background checks and ongoing criminal monitoring into its driver screening processes.
  • April 28 Airport background checks are governed by the TSA and FAA. They typically include employment history checks, criminal history searches, and a few other elements.