On 31 August 2017, the Nottinghamshire County Council was fined £70,000 because it had left vulnerable people’s personal information exposed online for five years. An online directory, which had no access restrictions, included sensitive information such as the gender, addresses and care requirements of approximately 3,000 elderly and disabled people. The directory also revealed whether they had been or were still in hospital. The ICO found that this was a serious and prolonged breach of the Data protection Act 1998, which requires organisations to take appropriate measures to keep personal data secure, especially when dealing with sensitive personal information.