22. Disclosure of personal data obtained without authority.
From 25 May 2018, this Act ceased to apply to the processing of personal data (within the meaning of this Act) other than the processing of such data for the purposes of safeguarding the security of the State, the defence of the State or the international relations of the State, or the processing of such data under the Criminal Justice (Forensic Evidence and DNA Database System) Act 2014 or the Vehicle Registration Data (Automated Searching and Exchange) Act 2018 to the extent that this Act is applied in those Acts but is still applicable to complaints made under s. 10 and contraventions of this Act that occurred before 25 May 2018, see s. 8 of the Data Protection Act 2018 (No. 7).
(1) A person who -
(a) obtains access to personal data, or obtains any information constituting such data, without the prior authority of the data controller or data processor by whom the data are kept, and
(b) discloses the data or information to another person,
shall be guilty of an offence.
(2) Subsection (1) of this section does not apply to a person who is an employee or agent of the data controller or data processor concerned.