A police officer sent an email to a member of the public containing information which could have been used to identify sex offenders.
The Dyfed-Powys Police officer mistakenly sent the email about eight people from Powys to a member of a local community scheme after selecting the wrong name from an email list.
It contained names, addresses, telephone numbers and email addresses.
The Information Commissioner’s Office (ICO) fined the force £150,000.
It found Dyfed-Powys did not have the right measures in place to keep personal information secure.
The address book was only meant to be used for internal emails, but an ICO investigation found it had grown to contain frequently used email addresses for external contacts.
The person who received the email was the first name in the alphabetical list and had received five emails meant for other people in just four days in April 2015.
Assistant commissioner Anne Jones said: “This was an accident waiting to happen. The force failed to take advantage of earlier opportunities to address the problem, and now faces the consequences of getting it wrong.
“While at first glance this might seem like simple human error, it was made possible by the poor procedures the force had in place around protecting people’s personal data.
“This is a troubling story, and one that will do little to reassure the local community that its police force can be trusted to look after sensitive information.”
Temporary deputy chief constable Liane James said: “We accept that mistakes were made and have acted to make the necessary changes to processes and systems.
“We work hard to ensure the safety of the data available to us and will continue to take the learning from this, now and in the future.”