803 CMR, § 2.14

Current through Register 1536, December 6, 2024
Section 2.14 - Storage and Retention of CORI
(1) Hard copies of CORI shall be stored in a separate locked and secure location, such as a file cabinet. Access to the locked and secure location shall be limited to employees who have been approved to access CORI.
(2) Electronically-stored CORI shall be password protected and encrypted. Password access shall be limited to only those employees who have been approved to access CORI.
(3) CORI may be stored using cloud storage methods. When CORI is stored using cloud storage methods the following shall be followed:
(a) The requestor shall have a written agreement with the cloud storage provider. The written agreement shall include the minimum security requirements published by DCJIS concerning cloud storage. Said agreement is subject to inspection by DCJIS and shall be provided to DCJIS upon request.
(b) The cloud storage method shall provide for encryption and password protection of all CORI.
(4) CORI and/or CORI Acknowledgment Forms shall not be retained for longer than seven years from whichever of the following occurs later:
(a) The subject's last date of employment or volunteer service for which the CORI request was made; or
(b) The date of the final decision regarding the employment or volunteer opportunity or licensing decision of the requestor regarding the subject.

803 CMR, § 2.14

Amended by Mass Register Issue 1333, eff. 2/24/2017.
Amended by Mass Register Issue 1416, eff. 4/9/2020.
Amended by Mass Register Issue 1428, eff. 6/29/2020.
Amended by Mass Register Issue 1440, eff. 6/29/2020.
Amended by Mass Register Issue 1445, eff. 6/11/2021.