The question is why he was engaging in a research activity without agreement from the subjects using his employer resources without an authorization for that.
Without knowing more about the nature of the research activity and the dataset retained it is difficult to determine the legitimacy of the research activity and use of school resources.
However, I suspect like many teachers he was tasked with improving standards and one of the ways to improve standards is to collect data and review so as to determine what went well, what could be done better, and what you would do differently, thus the dataset would reflect what he regarded as being relevant and potentially useful. Data can include SATs results, samples of pupils work, etc. Naturally in the school context, it would be normal not to anonymise data, thus the data becomes categorised as personal.
Thus the issue that was picked up on was the taking a copy of this data outside of the school in which it was originally collected and processed.
Given with GDPR, the world has changed, it is irritating that the ICO hasn't released more details so that others (ie. general public) can be more aware of what is now regarded as unacceptable data handling and processing.