CSI ALERT – Amended Massachusetts Department of Criminal Justice Information Services Regulations - A Creative Services, Inc. Compliance Corner Article

Resource Center

Compliance Corner

CSI ALERT – Amended Massachusetts Department of Criminal Justice Information Services Regulations

05.03.17

The Massachusetts Department of Criminal Justice Information Services (DCJIS) published amended agency regulations (803 CMR 2.00 et. seq.) effective April 27, 2017 to their website.  Click here to visit the DCJIS website.   

DCJIS notes on their website that only official versions of the regulations may be provided by the Secretary of the Commonwealth, Regulations Division.  Therefore, the versions provided on their website are unofficial copies of the regulations.

Updated CORI Acknowledgement Forms, a Model CORI Policy, Cloud Storage Guidelines and the iCORI Agency Agreement are not yet available, but will be posted on the DCJIS website soon.

What are some of the biggest definition changes to the DCJIS regulations for employment purposes?

Employment Applicant Definition
The amended regulations broaden the definition of “employment applicant” to include not only individuals applying for employment and volunteer opportunities, as was under the previous regulations, but now extends to subcontractors, contractors and vendors (as well as certain defined special state, municipal, or county employees under M.G.L. c. 268, § 1.)

CORI Definition
The acronym CORI stands for Criminal Offender Record Information.  iCORI is the internet-based system used in the Commonwealth of Massachusetts to access CORI and to obtain self-audits.

Previous regulations did not specifically define CORI under Section 2.02.  The amended regulations define CORI as:

Records and data in any communicable form compiled by a Massachusetts criminal justice agency which concern an identifiable individual and relate to the nature or disposition of a criminal charge, an arrest, a pre-trial proceeding, other judicial proceedings, previous hearings conducted pursuant to M.G.L. c. 276, § 58A where the defendant was detained prior to trial or released with conditions under M.G.L. c. 276, § 58A(2), sentencing, incarceration, rehabilitation, or release. Such information shall be restricted to that recorded as the result of the initiation of criminal proceedings or any consequent proceedings related thereto. Criminal offender record information shall not include evaluative information, statistical and analytical reports and files in which individuals are not directly or indirectly identifiable, or intelligence information. Criminal offender record information shall be limited to information concerning persons who have attained 18 years of age and shall not include any information concerning criminal offenses or acts of delinquency committed by any person before he or she attained 18 years of age; provided, however, that if a person younger than 18 years old is adjudicated as an adult, information relating to such criminal offense shall be criminal offender record information. Criminal offender record information shall not include information concerning any offenses which are not punishable by incarceration.

Note that previous regulations used a threshold of 17 years or older by definition.  It is important to highlight that previous regulations, as well as the amended regulations, continue to specifically exclude from CORI (among other items):

(j)  published records of public court or administrative proceedings;
(k)  published records of public judicial, administrative, or legislative proceedings;

The amended regulations, however, added the following additional exclusions:

(l)  federal criminal record information; and
(m)  anything otherwise excluded by law.

What are biggest DCJIS regulation changes that will affect employers?

Employment Applicant Definition
Employers conducting criminal record searches on subcontractors, contractors, vendors and/or certain defined state, municipal, or county employees should now consider these categories of extended workforces “employment applicants” for the purposes of the amended regulations and review their obligations for compliance.

CORI Acknowledgements
CORI Acknowledgement Forms can now be collected electronically.  Model CORI Acknowledgment Forms with the required fields of information will be available on the DCJIS website. Requestors shall either use the published CORI Acknowledgment Forms or incorporate the language and information provided on the forms into their applications.  This will provide some flexibility for employers to integrate CORI Acknowledgment into their process whether electronic or otherwise. 

Be advised that the obligation to verify identity with a suitable form of government-issued identification remains.  However, for CORI requests submitted for the same subject where information exactly matches the information on the previous expired CORI Acknowledgement Form, a requestor is not required to verify the subject’s identity a second time. 

In addition, the notary public option continues to be available for verifying identification where a requestor is unable to verify a subject’s identity in person.    

The amended regulations no longer require a 72-hour notice when rerunning a CORI within one year provided the subject employee is still employed with the employer and the requestor notifies the subject on its CORI Acknowledgment Form that a CORI may be requested at any time within that one year.  

As under the previous regulations, CORI Acknowledgement Forms remain valid for one year from the subject's having signed the form or until the conclusion of a subject's employment or licensing period, whichever comes first.  The CORI Acknowledgement Form must be retained for a minimum of one year from the date of the subject’s signature.

Updated CORI Acknowledgement Forms will be posted to the DCJIS website once finalized.

Obligations for Criminal Background Investigations Obtained from the DCJIS or from Another Source
Be advised that certain obligations under the amended regulations continue to extend beyond CORI defined data including maintaining a written CORI policy as well as obligations for adverse action. 

If you are a decision maker on an application or interacting directly with a subject and you conduct five or more criminal background investigations annually through DCJIS or through another source, the regulations continue to require that you maintain a written CORI policy.   

It is important to note that the obligations for adverse action have expanded employers’ responsibilities for adverse employment decisions when the information is from a source other than DCJIS.  Traditionally, employers would only identify the information in the subject’s CORI that was the basis for the potential adverse action.  However, the amended regulations now state that employers must identify the information in a subject’s CORI or criminal history information, whether from DCJIS or received from any other source other than DJCIS, as the basis for potential adverse action.

iCORI Agency Agreement
Requestors registering for access after February 24, 2017 will be required to complete an iCORI Agency Agreement which will be signed by an individual with signatory authority for an iCORI requestor whereby the requestor agrees:

  1. To comply with the CORI laws and regulations;
  2. To maintain an up to date "need to know" list and provide all staff that request, review, or receive CORI with the CORI training materials;
  3. To only request the level of CORI access authorized under statute or by the DCJIS; and
  4. That requestors are liable for any violations of the CORI laws or regulations.  Individual users of the requestor's account may also be liable for said violations.

iCORI Agency Agreements will be posted to the DCJIS website once finalized.

Need to Know List
Each requestor shall maintain a "need to know" list of staff that have been authorized to request, receive, or review CORI. This list must be updated periodically, but not less than every six months, and shall be made available to the DCJIS upon request. A requestor may also provide the "need to know" list to a subject or subject's advocate upon request.

Cloud Storage
CORI Acknowledgement Forms may now be stored in the cloud provided that a written agreement with the cloud storage provider contains minimum security requirements published by the DCJIS concerning cloud storage.  DCJIS reserves the right to inspect cloud storage agreements.

Cloud storage guidelines will be posted to the DCJIS website once finalized.

What are the Changes for Employers Using a Consumer Reporting Agency?

Affirmations
Among other pre-existing affirmation requirements, employers utilizing a Consumer Reporting Agency (CRA), must now affirm to the CRA, before submitting a CORI request to the CRA for employment purposes, a statement indicating whether the annual salary of the position for which the subject is being screened is either above or below $75,000.  This salary figure aligns with Federal Fair Credit Reporting Act (FCRA) that allows exceptions to reporting restrictions that would otherwise be imposed for CRAs.

Redaction
The obligation to provide an exact copy of the CORI report remains, however, in connection with the salary threshold affirmation above, CRA’s must redact certain information in accordance with the FCRA provided the CRA provides the remaining information in the format received form the iCORI system.

What are the next steps?

Official versions of the regulations will be published by the Secretary of the Commonwealth’s Office, Regulations Division.  More information from DCJIS including CORI Acknowledgement Forms, a Model CORI Policy, and Cloud Storage Guidelines will follow.  CSI will continue to provide updates as they become available.

If you are currently conducting criminal background investigations either directly or through a CRA, CSI strongly recommends you review the amended regulations with your legal counsel.

View all articles