The University of Greenwich has been fined £120,000 ($160,000) by the Information Commissioner.
The fine was for a security breach in which the personal data of 19,500 students was placed online.
The data included names, addresses, dates of birth, phone numbers, signatures and – in some cases – physical and mental health problems.
It was uploaded onto a microsite for a training conference in 2004, which was then not secured or closed down.
In 2013 it was compromised and the information, which had been published alongside committee meeting minutes, was posted elsewhere.
In some cases it included individual students’ study progress, including reasons why they had fallen behind, and copies of emails between them and staff.
In one example, it was disclosed that a student had a brother who was fighting in a Middle Eastern army and references were made to an asylum application.
The breach was discovered by one of the students, who brought the matter to the attention of the BBC and the Information Commissioner Office (ICO)..
The Information Commissioner said Greenwich was the first university to receive a fine under the Data Protection Act of 1998 and described the breach as “serious”.
“Whilst the microsite was developed in one of the University’s departments without its knowledge, as a data controller it is responsible for the security of data throughout the institution,” said Steve Eckersley, head of enforcement at the ICO.
“Students and members of staff had a right to expect that their personal information would be held securely and this serious breach would have caused significant distress.
“The nature of the data and the number of people affected have informed our decision to impose this level of fine.”
In a statement, the university said it would not appeal against the decision.
It said it had carried out “an unprecedented overhaul” of its data protection and security systems since the discovery of the breach in 2016, and it had invested in both technology and staff.
It also said the fine would be reduced to £96,000 with a prompt payment discount.
“We acknowledge the ICO’s findings and apologise again to all those who may have been affected,” said University Secretary Peter Garrod.
“No organisation can say it will be immune to unauthorised access in the future, but we can say with confidence to our students, staff, alumni and other stakeholders, that our systems are far more robust than they were two years ago as a result of the changes we have made.
“We take these matters extremely seriously and keep our procedures under constant review to ensure they reflect best practice.”