Britain's Identity and Passport Service was found to breach that country's Data Protection Act after losing passport renewal applications.
The Information Commissioner’s Office gave the organisation a slap on the wrist after 21 applications went missing.
Personal data of both the applicants and their countersignatories was included in the lost documents.
The service agreed to shore up its IT practices and document handling to ensure such a breach does not occur again.
Neither the commissioner nor the service could confirm how the documents were lost.
An IPS spokesman said the organisation was confident customers “were not subject to any additional risk of identity fraud.”
“An internal security review has since been carried out and we have already significantly tightened our processes to prevent such an incident happening again,” the spokesman said.
An ICO spokesman said it was not hit with a fine because it did not meet the criteria for such a punishment.
“A passport is an important identification document and it is clearly of concern that information relating to renewal applications has been lost,” said Mick Gorrill, head of enforcement at the ICO.
“However, there is no evidence to suggest that the applications have fallen into the wrong hands and we are pleased that the Identity and Passport Service is taking steps to stop this happening again.”
To be levied with a fine, a data controller must have “seriously contravened the data protection principles” and “substantial distress” must have been caused, according to the ICO’s guidance.
Furthermore, the breach must either have been deliberate or “the data controller must have known or ought to have known that there was a risk that a contravention would occur and failed to take reasonable steps to prevent it.”
The ICO has fined a total of four organisations since it was given additional powers in April 2010. The fines levied add up to £310,000 ($A500,000).
The watchdog can fine up to £500,000 for the most serious breaches.