If fact the negligence in this case was the fault of an external IT contractor who stored the captured data on the website CMS, after the requirements has been change to specifically exclude this feature because of security concerns. However the DPA doesn't take this into account. Data loss is an absolute offence, no negligence is necessary. If the organisation loses the data they are guilty.
The size of the fine is not a reflection of the degree of negligence but a result of the damage done . In this case very serious damage because the extremely sensitive nature of the data and who was able to access it.