Schools have been warned to check procedures for protecting pupil data after the information watchdog was given powers to issue fines of up to #163;500,000.
The Information Commissioner's Office (ICO), previously only able to issue fines of up to #163;5,000, is planning to punish organisations which mislay or misuse sensitive personal information.
Although most high-profile data losses reported so far have been from government organisations, headteachers have been warned to ensure their policies are watertight.
Schools are expected to hold increasing amounts of data on pupils, from their names and addresses to information about medical conditions and parents' jobs.
A growing number of schools are also gathering biometric information from pupils in the form of fingerprints in order to create cardless canteens and libraries.
In November last year, Waseley Hills High School in Birmingham was ordered by the ICO to improve its policies after an unencrypted laptop containing details of 1,000 pupils and staff was stolen.
Martin Ward, deputy general secretary of the Association of School and College Leaders, said: "The amount of information we are expected to have goes up all the time and it is sensitive data. It is reasonably secure in the context of the central database. However, that data has to be backed up and stored somewhere else. Staff may also want access to that information to make spreadsheets. There's a need for schools to have quite explicit policies on who has access to the data and how they use it."
Susan Hall, head of information technology law at Cobbetts Solicitors, said schools needed to be aware that keeping data secure was not the only issue at stake.
The increasing use of CCTV in schools, she said, raised issues of data protection and created "conflicts" for headteachers.
Last year, police were called to Charlestown Primary in Salford when cameras left running for 24 hours filmed pupils changing for PE.
"There is always the temptation to use data for a purpose it was not originally gathered for," Ms Hall added.
Christopher Graham, the information commissioner, said data losses could create "huge distress" to people and the new penalties were designed as a "deterrent" to promote compliance with the Data Protection Act. "I will not hesitate to use these tough new sanctions for the most serious cases where organisations disregard the law," he said, stressing that all fines would be "proportionate."
THE ONES THAT GOT AWAY
The new sanctions follow a number of high-profile data breaches in the education world:
Last month, a worker at Barnet Council lost personal data on 9,000 pupils when a laptop was stolen from their home.
Earlier this year, the Association of Teachers and Lecturers was ordered to tighten up its data protection procedures after it lost the details of 7,000 members when a USB stick and laptop went missing.
In 2007, the Howard School in Rainham, Kent, apologised after a confidential report containing derogatory remarks about its pupils was found in the street. The booklet, which had "Do not leave lying around" written on the cover described one pupil as a "wally" and another as a "dingbat" and a parent as "a bit rough".
Data Protection Act 1998: what it says
Data must be used for the specific purposes for which it was collected.
It must not be disclosed to other parties without consent.
Individuals have right of access to the information held about them.
Personal information must not be held for longer than is necessary and must be kept up to date.
Holders of personal information should have adequate security measures in place.