Schools could be putting pupils' personal data at risk by failing to store it securely, according to new research.
The study suggests that schools are increasingly collecting students' biometric data, such as fingerprints, but do not always think about the security issues surrounding this. It found that almost half of schools have regulations on personal data security that fall below a recommended minimum level.
It has been suggested that up to four in 10 secondary schools use fingerprinting or face-scanning systems for a number of reasons, including recording attendance, allowing pupils to check out library books, pay for lunch or access certain school buildings.
But a paper due to be presented at the British Educational Research Association's (Bera) annual conference in Manchester warns that schools often do not have clear policies on how personal information should be stored and handled.
The researchers analysed the results of about 1,000 schools that belong to the South West Grid for Learning (SWGfL) - an internet service provider which has created a tool that allows schools to review their online safety measures.
The findings show that in the personal data category - the general security of personal information - almost half of schools (48%) rated themselves as having "no agreed personal data policy" or as having "a personal data policy being developed". This put them below SWGfL's minimum recommended security level.
A further 45% of schools were at the minimum recommended level, saying that they have a policy on personal data that staff have been made aware of. Some 45% were below the minimum level in the area of password security and 40% were below the minimum standard for technical security tackling problems such as viruses.
Research author Dr Sandra Leaton Gray, of the University of East Anglia, said that many schools have created databases with information such as where children live, their parents' details or if they have special needs. Dr Gray said: "If this information gets into the wrong hands, it can have big consequences for individuals. Yet security levels in schools are inconsistent, and generally not as high as they should be."
A DfE spokeswoman said: "We take the security of pupils' personal data very seriously. We have changed the law so that schools have to obtain parental permission before they take fingerprints or any kind of biometric data. This will come into force in September 2013.
"Under the Data Protection Act all data collected by schools must only be used for its stated purpose, cannot be shared with third parties for another purpose, must be kept securely and be destroyed when a pupil leaves their school."