Employers are not precluded from asking the question elsewhere during the interview and hiring process; however, keep in mind that they may not inquire about violations where there was no conviction, certain misdemeanors or anything that occurred earlier than five years prior.

Employers should review their employment applications to ensure they are in compliance with this new legislation.

Massachusetts law also limits employees’ ability to review their personnel files to up to 2 times per year, within five (5) days of providing a written request.  All such requests must be honored within five (5) days.  However, an event that triggers the notification above does not count within that limit.

The new law is part of the Criminal Offender Record Information (CORI) reform bill, signed into law by Governor Deval Patrick on August 6, 2010.  The overall intent of the bill is to make it easier for people with criminal records to rehabilitate themselves by making it easier for them to return to work.  The bill is also intended to encourage employers to hire them. 

The new law reduces the availability of criminal records from 15 to 10 years for people who have been convicted of a felony, and from 10 to 5 years for those who have committed misdemeanors.  In addition, the clock on sealing those records will run from the time the offender is released from prison, rather than from the time the offender ends state supervision.

All employers will have access to a new CORI database that lists only convictions or pending charges within the new time frame.  The only exceptions are murder and sex offense convictions, which will always appear in the database.  Because employers will have access to the database, they cannot ask for criminal history information on job applications.  The only exceptions to this rule occur when an applicant is being considered for the positions for which state or federal law or regulation requires disqualification based on a conviction, or to employers required by state or federal law or regulation not to hire such persons.  In all cases, however, employers may require criminal history information later in the application process.

Further, employers who take an adverse action regarding applicants because of their criminal history must supple the applicants with copies of the records upon which the decision was based.

There are several distinct advantages to employers from using the CORI database.  They will be protected from negligent hiring charges if they rely on the records provided to make their hiring decision up to ninety (90) days after obtaining the records.  Further, they will be protected from discrimination claims if it is found they relied on records that are incorrect or incomplete.

By November 4, 2010, employers will need to revise their application forms and eliminate questions regarding an applicant’s criminal background, and those employers who obtain information regarding an applicant’s criminal history must have a written CORI policy.

The rule applies to all businesses in the Commonwealth, who collect and retain personal information in connection with the provision of goods and services or for the purposes of employment. All policies must be in writing, but the scope and complexity of the policy is dependent on the nature and scope of each business.  Employees must be trained on what they need to do to protect confidential information.

The updates to the legislation cover four (4) areas:

1. The rule adopts a risk-based approach.  Businesses are required to establish a written security program that takes into account the particular business’ size, scope of business, amount of resources, nature and quantity of data collected or stored, and the need for security.  This is particularly important for small businesses who typically do not handle or store large amounts of personal and confidential information.
2. What had been requirements for inclusion in policies have been removed, and should be used as guidance only.
3. The encryption requirement has been changed to be technology neutral and technical feasibility has been applied to all computer security requirements.
4. The third party vendor requirements have been changed to be consistent with Federal law.

The statute can be found at http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf, and FAQs can be found at http://www.mass.gov/Eoca/docs/idtheft/201CMR17faqs.pdf.