The Information Commissioner's Office has said Wigan Council breached data-protection law by allowing unencrypted data on school pupils to be downloaded to a laptop.
The laptop was then stolen, holding personal data on most children and young people in Wigan's schools: about 43,000 pupils.
The computer had been stored in a locked office, but not encrypted, according to the ICO. The person who downloaded the data to the laptop was breaching council policy, but there was no block on them doing so.
Joyce Redfearn, chief executive of Wigan Council, has signed an undertaking stating that the council will encrypt data on portable devices in future. Staff will be trained and made aware of the council's policy for storing and using personal data, and the council will ensure staff stick to that policy.
"I strongly advise organisations to avoid instances where employees can download large volumes of personal information," said Sally-Anne Poole, the ICO's head of enforcement.
"This incident could have been averted if the data was simply accessed from the main council computer network. Storing large volumes of personal information on portable devices is unnecessarily risky," she added.