Gwent Police accidentally sent an email containing the results of 10,000 checks with the Criminal Records Bureau (CRB) to a reporter, says a watchdog.
The Information Commissioner's Office (ICO) said the email contained 863 pieces of personal information.
A staff member copied the wrong person into a message, it said.
The force was found in breach of the Data Protection Act but did not disclose any details of criminal convictions, said the ICO.
The news comes as the UK government outlined plans to reform the system of criminal records checks, saying it was time to return to a more "common sense" approach.
Anne Jones, the ICO's assistant commissioner for Wales, said: "It is essential that staff are aware of and follow their organisation's security policies.
"Such a huge amount of sensitive personal information should never have been circulated via email, especially when there was no password or encryption in place.
"We are pleased that Gwent Police has taken steps to prevent this happening again."
The ICO said the force's outgoing chief constable Mick Giannasi, had agreed to implement stricter rules over the use of databases.
New technology would also be brought in "to prevent the inappropriate auto completion of addresses in internal and external email accounts".
The ICO is an independent authority set up to uphold public information rights, promote openness by public bodies and data privacy for individuals.