Statistics released by the Information Commissioner's Office (ICO) suggest schools are aware of their data protection obligations, but many are not acting on them.
Ninety-five per cent of the 400 schools surveyed by the data protection watchdog said they provided some details to pupils and parents about what is done with their personal information.
However, 30 per cent with password-protected computer systems admitted their login details are not strong enough or changed regularly. In addition, 20 per cent admitted their email systems were insecure.
In many respects (the results) should come as no surprise it's not teachers' area of expertise
In response to the findings, the ICO has issued a report advising schools on how to comply with the Data Protection Act.
Its advice includes accurately notifying the ICO about why they need to process personal data, recognising the need to handle personal information in line with data protection principles, and training staff and governors in the basics of information security.
The ICO also recommends schools take time to ensure they have "clear and practical policies" in place to ensure the security of any personal data they store.
Louise Byers, ICO head of good practice, who helped draft the advice document, said the survey results should come as little surprise.
"It's not teachers' area of expertise and it is precisely what our report is aiming to address," said Byers.
"I'd urge teachers and heads to take a look at our recommendations and make sure they're complying with the law. The sensitive personal data that schools handle means it is crucial they get this right."
The full report detailing data protection advice for schools and a summary document of the ICO's recommendations are available to download via the organisation's website.
