The UK's Information Commissioner has fined £120,000 ($160,000) to the University of Greenwich for a security breach that affected personal data of 19,500 students.
The compromised data included names, addresses, dates of birth, phone numbers, signatures and - in some cases - physical and mental health problems.
The data was uploaded onto an unsecured microsite for facilitating a training conference in 2004.
The Information Commissioner said that Greenwich University was the first university to be fined under the Data Protection Act of 1998.
"Whilst the microsite was developed in one of the University's departments without its knowledge, as a data controller it is responsible for the security of data throughout the institution," said Steve Eckersley, head of enforcement at the ICO.
"Students and members of staff had a right to expect that their personal information would be held securely and this serious breach would have caused significant distress.
"The nature of the data and the number of people affected have informed our decision to impose this level of fine."
The university said that they would not appeal against the decision.
"We acknowledge the ICO's findings and apologise again to all those who may have been affected," said University Secretary Peter Garrod.
"No organisation can say it will be immune to unauthorised access in the future, but we can say with confidence to our students, staff, alumni and other stakeholders, that our systems are far more robust than they were two years ago as a result of the changes we have made.
"We take these matters extremely seriously and keep our procedures under constant review to ensure they reflect best practice."
