Gwent Police has been slapped on the wrist after it sent results of Criminal Reference Bureau (CRB) checks to a member of the public.
The force sent an email containing a spreadsheet of the results of around 10,000 CRB enquiries to a website journalist.
A staff member accidentally included the journalist in the email.
Fortunately, no details of criminal convictions were disclosed and the nature of the information was not identifiable.
Nevertheless, the Information Commissioner's Office (ICO) found the force in breach of the Data Protection Act.
A Gwent Police investigation into the incident criticised the member of staff for not following the force's IT policies.
"It is essential that staff are aware of and follow their organisation's security policies," said Anne Jones, assistant commissioner for Wales.
"Such a huge amount of sensitive personal information should never have been circulated via email, especially when there was no password or encryption in place."
Gwent Police signed a formal undertaking to shore up its practices, requiring new technology to be brought in to stop autocomplete of email addresses in internal and external accounts.
The force will be pleased to have avoided a fine something two councils did not manage earlier this week.
Ealing and Hounslow councils were hit with fines totaling 150,000 for the loss of unencrypted laptops containing personal data.
