In Part 1 and Part 2 I discussed four steps that I recommend employers follow in using criminal records. Here in Part 3 and the last part of this series, I address the process of the handling of the documents.
Step 5: Handling Documents with CORI
Criminal records information obtained from any source is confidential, and employers must take precautions to insure that such information is protected from disclosure. Because of the highly confidential nature of criminal records, the number of individuals who are authorized to request, access, receive and review such information must be limited, and there are strict procedures for handling, storing and destroying criminal records information. The new regulations provide for controls by:
- Requiring the designation of a CORI Representative for an employer;
- Requiring a Secondary Dissemination Log to track all distribution of CORI;
- Limiting employer registration for CORI to one year increments; and
- Limiting the validity of employee or applicant Acknowledgement Forms to 12 months from the execution date or the end of employment, whichever is sooner.
Additionally, hard copies of CORI must be stored in a separate locked and secure location, and electronic CORI must be password-protected, encrypted and may not be stored using public cloud storage methods. CORI must also be destroyed no later than seven years from the date of employment or the date of the final employment decision based on the CORI, whichever is later. When CORI is destroyed, hard copies must be shredded or otherwise disposed of such that inadvertent disclosure will not occur, and electronic copies must be deleted from the employer’s hard drive and any back-up system. If a computer that was used to obtain, access or store CORI is to be disposed or re-purposed, the employer must clean the information by electronic or mechanical means. Because of the high-level of security required, employers may want to consider using a stand-alone computer with separate back-up capabilities solely for CORI purposes.
Although the new regulations provide much-needed clarification on CORI access and use, employers must be mindful of the overlap of CORI and discrimination laws and be vigilant in establishing and enforcing procedures to comply with these new, specific requirements.
The Criminal Records Review Board (“CRRB”) is tasked with investigating and hearing complaints regarding violations of the CORI statutes and regulations. Penalties for any individual violating CORI statutes or regulations range from a civil fine of $1,000 for a first violation, up to $5,000 for the third and each subsequent violation. The CRRB may also refer matters to governmental agencies for criminal investigation(s). Violations of the CORI statutes or regulations may result in criminal penalties of one year in a house of correction and/or a fine of up to $5,000 per violation for individuals, and up to $50,000 per violation if a business violates the CORI laws.
Because the regulations are new, it is unclear how the penalties will be imposed or how each violation will be assessed. Thus, employers should be aware that any violation, from allowing access to an unauthorized employee, to misusing criminal records information, to failing to delete criminal records information from a discarded computer, may lead to civil and criminal fines and penalties.