New Changes to Massachusetts CORI Regulation

By Michael Klazema on 5/24/2017

In May of 2012, Massachusetts passed the Criminal Offender Record Information (CORI) law which regulates how employers conduct criminal history checks. Most recently, the Massachusetts Department of Criminal Justice Information Services (DCJIS) issued amended CORI regulations that will require employers to modify their criminal history background check procedures.

New Definitions for Employee and CORI

The new CORI regulation expands the definition of employees by including volunteers, subcontractors, contractors, vendors, and special state, municipal, or county employees as those terms are defined in M.G.L. C. 268.

The original CORI regulations did not define CORI but only listed of examples of information included and excluded from CORI. The 2017 regulation defines CORI as “Records and data in any communicable form compiled by a Massachusetts criminal justice agency which concerns an identifiable individual and relate to the nature or disposition of a criminal charge, an arrest, a pre-trial proceeding, other judicial proceedings, previous hearings conducted pursuant to M.G.L. c. 276 § 58A where the defendant was detained prior to trial or released with conditions under M.G.L. c. 276, § 58A(2), sentencing, incarceration, rehabilitation, or release.” The new definition of “criminal justice agency” appears to cover courts: “A Massachusetts agency which performs, as its principal function, activities relating to crime prevention, including the following: research or the sponsorship of research; the apprehension, prosecution, adjudication, incarceration, or rehabilitation of criminal offenders; or the collection, storage, dissemination, or usage of criminal offender record information.”  The new definition of CORI specifically excludes information related to criminal proceeding that was initiated against an individual before he or she turned 18, unless the individual is adjudicated as an adult. 

The iCORI Agency Agreement

Requestors registering for CORI access must complete the iCORI Agency Agreement which consist of the following:

  1. Requestor agrees to comply with the CORI laws and regulations;
  2. Requestor will maintain an up to date “need to know” list, and provide all staff that request, review, or receive CORI with the CORI training materials;
  3. Requestor will only request the level of CORI access authorized under statute or by the DCJIS; and
  4. Requestors are liable for any violations of the CORI laws or regulations. Individual users of the requestor’s account may also be liable for said violations.

The new CORI regulation defines the “need to know” list as staff members who have been authorized to request, receive, or review CORI. The list must be updated every six months and must be made available to the DCJIS upon request.
CORI Acknowledgment Form

The DCJIS webpage provides the Model CORI Acknowledgment Forms with the required fields of information. Employers now have the option to use the published CORI Acknowledgment Forms or incorporate the language and information provided on the forms into their application.

The DCJIS also made the following changes regarding the use and disposal of the Acknowledgment Forms:

  • Employers can now collect CORI acknowledgment forms electronically, including during an electronic application process;
  • Employers can verify a person’s identity by examining a suitable form of government-issued identification containing a photograph of the person. If the person does not have an acceptable form of government-issued identification, the employer can use the birth certificate or social security card to as another form of identification;
  • Under the 2012 CORI regulation, employers could submit a new request for a CORI check within one year of an individual having signed the Acknowledgment Form, but were also required to provide the individual with written notice at least 72 hours before submitting the request. The new CORI regulation eliminated the 72-hours written notice and now allows employers to run an additional check, provided that the employer notifies the applicant on the Acknowledgment Form that  a CORI check may be requested within a year; and
  •  CORI report and CORI Acknowledgment Forms must be appropriately destroyed by electronic or mechanical means, before disposing of, or repurposing, a computer or other device used to store CORI.

Cloud CORI Storage

Under the new regulation, CORI can be stored using cloud storage methods. In order for employers to store CORI in the cloud storage method, the employer must have a written agreement with the storage provider, and provide encryption and password protection of all CORI.

Additional Information for Pre-Adverse Action Notice

Before taking adverse action against an employment applicant or employee based on their CORI report or criminal history information obtained through DCJIS, the employer must provide the applicant a copy of their CORI report, and identify the specific information in the report that is the basis for potential adverse action. The new regulation requires employers to follow the same procedure even when the criminal history information is obtained from another source other than DCJIS. This obligation seems consistent with the federal Fair Credit Reporting Act’s pre-adverse-action notice. 

The regulations continue to require employers that conduct five or more criminal background checks to maintain a background check policy, and to provide a copy of the policy with pre-adverse action notifications.  This applies when the CORI report is obtained from DCJIS or any other source.  DCJIS has, however, limited the requirement that an employer provide DCJIS Information Concerning the Process in Correcting a Criminal Record, to those instances where CORI is considered as part of a potential adverse action. 

Obtaining CORI from Background Screening Companies

The regulation continues to allow background screening companies to obtain CORI on behalf of employers, but the companies must maintain restrictions on the storage of this information. Specifically, the regulations continue to prohibit background screening companies from electronically or physically storing CORI results, unless the background screening company is authorized by the employer to act as the decision maker. In addition, the regulation states that the employer must provide a statement to the background screening company indicating whether the annual salary of the position for which the applicant is being screened is either above or below $75,000.

In the near future, DCJIS will be publishing an updated CORI Acknowledgment Form, a Model CORI Policy, cloud storage guidelines, and the iCORI Agency Agreement.

The 2017 amended CORI regulation is available here for review:

Tag Cloud
Recent Posts

Latest News

  • November 08 A Texas-based company was found to be supplying landlords with inaccurate background check results, potentially affecting housing decisions. The company must pay a record-setting settlement.
  • November 07 Orange Leaf Frozen Yogurt brand trusts to perform the crucial function of background checks on job candidates before extending offers of employment.
  • November 06 The man previously responsible for running background checks on New York City’s school bus drivers says the city’s Department of Education has been pushing back against more thorough checks. The DOE reportedly circumnavigated proper bus driver vetting channels for most of the spring and summer this year.
  • November 06 If you have a series of speeding tickets or other traffic violations, do you need to disclose them as criminal history?
  • November 01 South Carolina's legislature recently adopted a measure to expand access to expungement opportunities for the state's ex-convicts, but other gaps in the process remain. Advocates disagree on how to address the problem to protect offenders as well as the public.
  • October 31 Background checks will show different things depending on the type of check. Here are a few ways employers can use background checks to learn about candidates.
  • October 30 The Pentagon recently disclosed a breach that exposed the personal information of roughly 30,000 personnel. The government blamed the breach on a contractor, calling into question background check policies for federal government vendors.
  • October 30 Just because a record has been expunged from the record or sealed from public view doesn’t mean all traces of it are gone. Expunged and sealed records can sometimes show up on criminal background checks.
  • October 29 What is the status of your driver’s license? Not only can driver’s license statuses impact your ability to drive legally, but they can also impact your auto insurance coverage.
  • October 26 As fresh details emerge in the long-running sex abuse scandal plaguing the Catholic Church, some efforts to mitigate risks and protect the vulnerable stand out from the rest, including those in the diocese of Austin, Texas.