In a recent discussion I had about this I was told that we should examine what data we hold, consider how it is classified (this is a job being done by a number of Govt agencies in more detail at the moment), and consider who has access to it. A medium risk piece of information on its own might be fine, but when you put together a number of pieces of information it may then become high risk ... it is not a single piece of data we should worry about but how the streams or blocks of data can then build into something more. This is why thigns like Shibboleth are being used within RBCs now to connect to other VLEs and services ... anonymise as much as possible and control the rest yourself!
Sure, this would be 'personal information' but then the DPO should be making sure that this sort of stuff isn't available on a shared drive, and that kids (and teachers) aren't keeping databases of others' addresses/DOBs/etc in the first place. That in itself, regardless of whether the info is copied out onto CD, could be a breach of the act.