A Sydney university "did not take the appropriate steps to ensure the security of students' personal information", the NSW Privacy Commissioner has found.

Earlier this year Fairfax Media, publisher of this website, reported that the detailed records of thousands of University of Sydney students past and present were being stored online where they could be easily downloaded and read via an internet connection without a password.

Details openly available on the university's site included a student's full name, residential address, email address, which courses he/she studied and how much the course cost.

The Fairfax report sparked an investigation by the NSW Privacy Commissioner, which late yesterday released a two-page finding (read the PDF here) that said the university had breached the Privacy and Personal Information Protection Act 1998.

"The investigation into this matter has revealed that the university did not meet its obligations under New South Wales law," acting Privacy Commissioner John McAteer said.