Schools are increasingly collecting students' biometric data, such as fingerprints, but do not always think about the security issues surrounding the storage, according to new research.
The researchers analysed the results of 1,000 schools that belong to the South West Grid for Learning (SWGfL) - an internet service provider which has created a tool that allows schools to review their online safety measures.
Almost half the schools were found to have personal data security regulations which fall below the recommended minimum level.
The findings show that in the personal data category - the general security of personal information - almost half of schools (48%) rated themselves as having "no agreed personal data policy" or as having "a personal data policy being developed".
A further 45% of schools were at the minimum recommended level, saying that they have a policy on personal data that staff have been made aware of.
The findings also show that 45% were below the minimum level in the area of password security and 40% were below the minimum standard for technical security - the measures a school puts in place to protect its computer system from problems such as viruses.
A paper which will be presented at the British Educational Research Association's (Bera) annual conference in Manchester also warns that schools often do not have clear policies on how personal information should be stored and handled.
Research author Dr Sandra Leaton Gray, of the University of East Anglia, said that many schools have created databases with information such as where children live, their parents' details or if they have special needs.
She said: “If this information gets into the wrong hands, it can have big consequences for individuals. Yet security levels in schools are inconsistent, and generally not as high as they should be.”
A Department for Education spokeswoman said that new laws which come into force in September 2013 will ensure that schools obtain parental permission before taking and storing students' biometric data.
She said: “We take the security of pupils' personal data very seriously. Under the Data Protection Act all data collected by schools must only be used for its stated purpose, cannot be shared with third parties for another purpose, must be kept securely and be destroyed when a pupil leaves their school.”