Sensitive information on school pupils is being put at risk by staff who take it home with them, an IT firm says.
The data include potentially sensitive information about pupils
Teachers in nearly half of England's primary schools back up pupil data on CDs and memory sticks, which they then take out of school, research suggests.
A survey of 933 schools for school computing firm RM found only 1% of respondents were encrypting the data.
RM blamed a lack of clear guidance, but the government said it published advice for schools on the issue.
The warning comes after a string of data security breaches by government departments and associated agencies.
The most serious of these came to light in November, when Chancellor Alistair Darling admitted data on all of England's child benefit claimants had gone missing in the HM Revenue and Customs' internal post.
It included the names, addresses, dates of birth, child benefit numbers, national insurance numbers and bank details of more than seven million families.
The kind of information being carried by teachers commuting to and from school is similar, says RM.
It includes the names, addresses and birth dates of pupils, contact numbers for parents, sensitive details of pupils' attendance and behaviour, as well as academic records.
The discs, memory sticks and tapes on which it is recorded could be lost or stolen from teachers' bags, the firm warns.
In addition to the 49% of schools which said they allowed the data to be taken home by staff, a further 4% said they left sensitive and unprotected data at unsecured locations in the school.
Head of RM schools management solutions Paul Grubb said: "Schools may be acting with the best intentions to preserve children's records and ensure information is kept up to date, but they risk breaching data protection guidelines by taking such risks with pupil data.
"Unfortunately, the Data Protection Act isn't clear enough on this issue and so schools are interpreting it and making their own decisions.
"Following our findings we plan to take the matter up with the Information Commissioner to try and establish clearer guidance for schools."
A spokesman for the Department for Children, Schools and Families said schools had to make sure that personal information is protected and looked after fairly in line with the Data Protection Act - as with any other organisation that handles personal information.
"The Information Commissioner's Office produces detailed guidance about all aspects of the Act.
"We also publish specific advice about the data protection issues that schools need to be aware of when collecting and processing personal data about pupils and other individuals," he added.
A spokeswoman for the Information Commissioner's Office said the Act was very clear that organisations which process personal information must ensure its security at all times.
"Large amounts of personal information, particularly sensitive information, should only be taken off-site if it is absolutely necessary."