FERPA does not specify a time period for retaining credential/placement files or reference letters. The law merely provides that an education record may not be destroyed if there is an outstanding student request to inspect the file. The school has the discretion to develop a record retention policy and communicate that policy to its students. The policy should include a deadline by which students/alumni must respond if they do not wish to have their files destroyed. Once the deadline has passed, and there has been no request for retention, the records may be destroyed.
Courts have routinely held that FERPA does not create a private right of action against the educational institution. Complaints, however, may be filed with the Department of Education, which will investigate all issues. An educational institution that fails to comply with FERPA may forfeit its federal funding. It should be noted, however, that some states allow for monetary damages for the disclosure of private information.
Clearly, FERPA remains an important federally created protection for student privacy, but the act is ever changing. In May
2014, several U.S. senators introduced a bill that would modify FERPA to ensure that student data handled by private
companies would be protected. The proposed bill would restrict federal money provided to schools that do not have information security policies and procedures in place. While this is only a proposed bill, it further indicates the heightened
scrutiny educational institutions face when disclosing student information. Therefore, it is imperative that all educational
institutions understand the existing restrictions and limitations imposed by FERPA.