FERPA Files, Recommendation & Noncompliance

Credential Files

FERPA does not specify a time period for retaining credential/placement files or reference letters. The law merely provides that an education record may not be destroyed if there is an outstanding student request to inspect the file. The school has the discretion to develop a record retention policy and communicate that policy to its students. The policy should include a deadline by which students/alumni must respond if they do not wish to have their files destroyed. Once the deadline has passed, and there has been no request for retention, the records may be destroyed.

Recommendations to Ensure FERPA Compliance

  • Obtain signed, written consent from a student before a school official, administrator, career services staff member, or faculty member releases personally identifiable information to an employer, third-party recruiter, or resume referral data base;
  • Train and retrain faculty members with respect to the requirements and prohibitions of FERPA;
  • Notify employers, employment agencies, contract recruiters, resume data bases, and other entities that student records are subject to FERPA, and that such entities cannot subsequently disclose these records without student consent; and
  • Notify third parties that improper disclosure will result in future denials of access to such records.
  • Determine, clearly define, and communicate to students what information will be considered directory information prior to disclosure and provide students with a reasonable time to notify the educational institution if they want to restrict access to directory information.
  • Obtain a new consent form if any student information is changed, such as revisions to a letter of recommendation, prior to fulfilling an information request.
  • Note that FERPA does not address the issue of placing amended letters of recommendation into students’ files: Each educational institution is responsible for establishing and consistently enforcing its own policies with respect to this issue.
  • Draft and maintain policies with regard to the retention of records that pertain to the disclosure of information for health and safety concerns.
  • Review and revise any and all third-party agreements to ensure such agreements comply with FERPA requirements.
  • Implement policies that include how an institution will respond to data breaches or unauthorized disclosures and conduct an investigation into how such a breach occurred.
  • Advise students with respect to the implications of waiving their right to inspect their files or letters of recommendation.

Penalty for Noncompliance

Courts have routinely held that FERPA does not create a private right of action against the educational institution. Complaints, however, may be filed with the Department of Education, which will investigate all issues. An educational institution that fails to comply with FERPA may forfeit its federal funding. It should be noted, however, that some states allow for monetary damages for the disclosure of private information.

Clearly, FERPA remains an important federally created protection for student privacy, but the act is ever changing. In May 2014, several U.S. senators introduced a bill that would modify FERPA to ensure that student data handled by private companies would be protected. The proposed bill would restrict federal money provided to schools that do not have information security policies and procedures in place. While this is only a proposed bill, it further indicates the heightened scrutiny educational institutions face when disclosing student information. Therefore, it is imperative that all educational institutions understand the existing restrictions and limitations imposed by FERPA.