803 CMR, § 2.23

Current through Register 1536, December 6, 2024
Section 2.23 - Audits by DCJIS
(1) Any and all requests for CORI are subject to audit at any time by DCJIS.
(2) Each requestor who requests CORI shall respond to, cooperate with, and participate in audits conducted by DCJIS.
(a) Failure to respond to, cooperate with, or participate in an audit may result in immediate revocation of CORI access.
(b) If CORI access is revoked for failure respond to, cooperate with, or participate in a DCJIS audit, the requestor shall not obtain CORI through a CRA.
(c) DCJIS may restore CORI access upon completion of its audit.
(d) DCJIS may also initiate a complaint with the CRRB against any requestor for failure respond to, cooperate with, or participate in an audit.
(3) During a DCJIS audit, the requestor shall provide, or allow DCJIS staff to inspect, certain CORI-related documents including, but not limited to:
(a) CORI Acknowledgment Forms;
(b) secondary dissemination logs;
(c) the organization's CORI Policy, if applicable; and
(d) documentation of any adverse decisions based on CORI.
(4) During an audit, DCJIS staff shall assess the requestor's compliance with statutory and regulatory requirements including, but not limited to:
(a) whether the requestor properly registered for the appropriate level of CORI access and provided correct registration information;
(b) whether the requestor is properly completing and retaining CORI Acknowledgment Forms;
(c) whether the requestor is requesting CORI in compliance with 803 CMR 2.00;
(d) whether the requestor is properly storing and safeguarding CORI;
(e) whether the requestor is properly maintaining a secondary dissemination log;
(f) whether the requestor is screening only those individuals permitted by law; and
(g) whether the requestor has a CORI policy that complies with DCJIS requirements.
(5)Audit Results May Be Published.
(6) If DCJIS staff determine that the requestor is not in compliance with statutory or regulatory CORI requirements, DCJIS may:
(a) initiate a complaint against the organization with the CRRB;
(b) refer the audit results to state or federal law enforcement agencies for criminal investigation; and/or
(c) enter into a consent agreement with the requestor whereby the requestor agrees to certain audit findings and, in lieu of further proceedings, agrees to resolve audit findings by paying a fine and/or accepting conditions on access to CORI.
(7) Pursuant to its authority and responsibilities in M.G.L. c. 6, §§ 167A and 172, if DCJIS detects a possible violation or breach of security associated with an iCORI account, it may immediately deactivate that account pending further investigation and take appropriate action to ensure the security and confidentiality of CORI data.

803 CMR, § 2.23

Amended by Mass Register Issue 1333, eff. 2/24/2017.
Amended by Mass Register Issue 1445, eff. 6/11/2021.