by Tim Murphy
In 2010, the Massachusetts Legislature made sweeping changes to the statute governing employers’ use of Criminal Offender Record Information (CORI). In addition to prohibiting employers from asking about an applicant’s criminal history on the job application, the amendments called for additional changes to the way employers access CORI data and how they must use and maintain that information. Those remaining changes become effective May 4 and include the following:
- Web-based access for all employers. CORI data soon will be available to all employers via a new Web-based criminal background database called iCORI on May 7. Initially the information will be limited only to felony convictions less than 10 years old and misdemeanor convictions less than five years old; however, all convictions for murder, manslaughter, and certain sexual offenses will appear on the subject’s iCORI report regardless of the age of the conviction.
- Notification requirements. Beginning in May, employers must provide applicants and current employees with a copy of their criminal history reports before either questioning them about the reports or making adverse employment decisions based on the information therein. This requirement applies to all criminal background information, regardless of whether it is obtained through iCORI. Employers that intend to base an adverse decision on a criminal history search also should provide the candidate with a copy of the Department of Criminal Justice Information Services’ document Information Concerning the Process in Correcting a Criminal Record.
- Record-keeping requirements. There are new, strict record-keeping requirements and record-keeping limits for employers that receive CORI data. Employers must obtain signed acknowledgment forms before conducting a search, and the forms must be kept for one year from the date of the request for information.
- Dissemination restrictions. Employers may share CORI data only with persons in their organization with a need to know the information. Employers also must keep a log of all persons with whom the information is shared, and the log must be maintained for a year after the date of dissemination.
- Data storage. Employers are required to store hard copies of CORI data in locked and secured locations. Electronically stored data must be password-protected and properly encrypted. Data may not be stored for more than seven years, and employers must implement effective means for destroying or deleting such information.
- Written policy requirements. Employers that annually conduct five or more criminal background investigations now will need to maintain a written CORI policy. This policy must indicate that the employer will notify applicants of any potential adverse decision based on CORI information, provide applicants with their CORI report and the employer policy, and provide information concerning the process for correcting a criminal record.
The law also provides for periodic audits of employers that request and receive CORI data, assessing fines of up to $5,000 for knowing violations of the laws.
Tim Murphy is a partner with Skoler, Abbott & Presser, P.C., in Springfield, Massachusetts, and a frequent contributor to Massachusetts Employment Law Letter, which will keep you up to date on CORI developments. For more information, you can reach Tim at (413) 737-4753.