Is school behavior data protected under FERPA?
In most cases, yes. FERPA applies to education records, which it defines broadly as records that are directly related to a student and maintained by an educational agency or institution (or a party acting for it). Behavior data collected as part of a student program, an IEP, a behavior intervention plan, or a functional behavior assessment is directly related to that student and is maintained by the school, so it falls squarely within the definition.
There is a narrow exception for sole possession records, sometimes called private notes. These are records kept by one person as a personal memory aid, not shared with or accessible to anyone else, and not placed in the student file. The moment such notes are shared with a colleague, entered into a system, or used in decision making, they typically stop qualifying as sole possession records and become part of the education record.
The practical takeaway: assume that the behavior data you collect at school is FERPA protected unless you have a specific, documented reason to believe otherwise.
What secure storage looks like
FERPA requires schools to use reasonable methods to protect education records from unauthorized access. It does not prescribe a single technology, but the expectation is real safeguards rather than open spreadsheets or paper left on a desk.
- Data encrypted in transit and at rest so it cannot be read if intercepted or if a device is lost.
- Authenticated access, meaning each user signs in with their own credentials rather than sharing a generic login.
- Role-based permissions so staff see only the students and data relevant to their role.
- Audit trails and the ability to revoke access promptly when staff change roles or leave.
Who can access student behavior data?
FERPA limits access to education records to a defined set of people. For behavior data, the people who can generally access it without separate written consent are:
- School officials with a legitimate educational interest. This includes teachers, behavior analysts, administrators, and contractors performing institutional services, but only for the students they actually work with and only as needed to do their jobs.
- Parents and guardians of a student who is under 18 and still a dependent, who have the right to inspect and review their child education records.
- Eligible students, meaning students who are 18 or older or who attend a postsecondary institution. At that point, FERPA rights transfer from the parent to the student.
- Third parties outside that circle, including outside agencies, researchers, or service providers not acting as school officials, generally need prior written consent from the parent or eligible student. Specific FERPA exceptions exist, such as health and safety emergencies, transfers to a school where the student enrolls, and certain audit or evaluation purposes, but these are limited and should be applied carefully rather than treated as a default.
How ChartMyBehavior fits
ChartMyBehavior is built for FERPA-aligned school workflows. Data is encrypted in transit and at rest, access is authenticated, and permissions are role based so staff only see the students they are assigned to. The platform is designed to support a school in meeting its FERPA obligations.
To be clear about scope: ChartMyBehavior is built for school education-record workflows under FERPA. It is not positioned as a HIPAA-covered clinical platform, and it does not replace your district policies or the legal advice of your own counsel. If you operate in a clinical, HIPAA-covered setting, confirm that any tool you use meets those separate requirements.