5 Steps for Employer Use of Criminal Records: Part 1

Massachusetts enacted broad reforms to its Criminal Offender Record Information (“CORI”) laws in August 2010.  These reforms emphasize existing non-discrimination requirements and provide new requirements for accessing records through the on-line system (“iCORI”), as well as using and maintaining criminal records. 

The first part of the CORI reform laws became effective in November 2010, requiring employers to refrain from asking employees and job applicants to provide their criminal record history.  The second part became effective May 4, 2012, requiring employers to follow certain procedures for obtaining and handling criminal records information when screening existing employees and applicants, and providing employees/applicants with certain due process rights before an employer can make an adverse employment decision based on such records. 

The CORI system is complicated, and employers can easily and unknowingly run afoul of its mandates and prohibitions.  To help you avoid exposure to these risks, I have broken down the CORI process into five steps.  The first two steps are detailed in this post and the remaining steps will be explored in separate posts in the coming weeks.

Step 1: Registering and Preparing for CORI Access

Employers must register with the Massachusetts Department of Criminal Justice Information Services (“DCJIS”) to access criminal records information through iCORI, and designate a CORI Representative.  The CORI Representative is responsible for:

  • Reading and reviewing the CORI regulations;
  • Appointing a back-up CORI Representative;
  • Registering the organization and annually reviewing the organization’s registration;
  • Entering information of authorized users within the organization and maintaining user accounts;
  • Confirming that all organization users have reviewed and understand DCJIS CORI training;
  • Maintaining an up-to-date list of all organization individuals (not just users) authorized to view criminal records information;
  • Maintaining information about consumer reporting agencies which the organization has authorized to conduct CORI checks (if applicable);
  • Ensuring that the organization has a CORI policy (if applicable, as described below); and
  • Ensuring that every authorized user of the iCORI system participates in the required DCJIS’s CORI training. 

Additionally, the employer must create a Secondary Dissemination Log (the “Log”) to track anyone to whom the obtained information was provided.  The Log should contain the following:

  • The name of the individual whose CORI was requested;
  • The date of birth of the individual whose CORI was requested;
  • The date and time of the dissemination of obtained criminal records information;
  • The name of the person to whom the information was disseminated along with the name of the organization for which such person works (if different from the employer); and
  • The specific reason for the dissemination.

Because the Log is subject to audit by the DCJIS, it is vital that the information is accurate and up-to-date.  Also, every recipient of criminal records information should understand that it is confidential and prohibited from further distribution.

If the employer conducts more than five CORI requests in a year, the employer must also create and distribute to all employees a policy addressing CORI.  The DCJIS offers this Model CORI Policy as a starting point.  While this model is a nice starting place, employers should carefully review any policy, tailor it to their respective organization and ensure that employees understand and consistently follow it.

Step 2:  Obtaining Authorization from the Employee or Applicant for CORI

Before an employer can submit a CORI request about an individual, it must complete a CORI Acknowledgement Form for the individual.  The Form must be provided to the individual for signature and verification of his/her identity.  A completed Form is only valid until the earlier of the end of 12 months from the date of the individual’s signature, or the end of the individual’s employment.  If the individual refuses a request for CORI that is made in compliance with the CORI laws, then an employer may make an adverse employment decision based on such refusal.

The notarized signature of an employee or applicant in Massachusetts is sufficient for an employer outside of Massachusetts.

Please see my next post in this series for Step 3, (Notifying Employee/Applicant of CORI) and Step 4, (Using CORI Properly).