What is an NDA?
A Non-Disclosure Agreement (NDA) — also called a confidentiality agreement — is a legally binding contract in which one or both parties agree to keep specified information confidential. NDAs are used in business negotiations, employment, partnerships, product development, and any situation where sensitive information needs to be shared but protected.
One-way vs mutual NDAs
| Type | When to use | Who is bound |
|---|
| One-way (unilateral) | When only one party is disclosing confidential information — e.g. showing a business plan to a potential investor | Only the receiving party |
| Mutual (bilateral) | When both parties are sharing confidential information — e.g. two businesses exploring a partnership or merger | Both parties equally |
Mandatory carve-outs — Victims and Prisoners Act 2024
This is the most important recent change to UK NDA law. The Victims and Prisoners Act 2024 introduced mandatory carve-outs that came into force on 1 October 2025. Any NDA that does not include these carve-outs is unenforceable to that extent.
The mandatory carve-outs mean you cannot use an NDA to prevent someone from:
- Reporting a criminal offence to the police or any law enforcement agency
- Co-operating with a criminal investigation or prosecution
- Making a protected disclosure under the whistleblowing legislation (Public Interest Disclosure Act 1998)
- Reporting misconduct or wrongdoing to a regulator
- Seeking legal advice about their rights
- Disclosing information to a medical professional in connection with their physical or mental health
⚠️ If your NDA was drafted before October 2025: It may not include these mandatory carve-outs and may be unenforceable in key areas. Any NDA used to prevent someone from reporting a crime or seeking help is now void and the person using it may face criminal liability. Get it updated.
What makes an NDA enforceable in the UK?
For an NDA to be enforceable in England and Wales, it must:
- Clearly define the confidential information — vague catch-all definitions are harder to enforce. Be specific about what is confidential.
- Have a defined duration — perpetual NDAs are viewed with suspicion by UK courts. Typically 2–5 years for commercial NDAs.
- Be reasonable in scope — an NDA that tries to cover everything a person ever knows is unlikely to be enforceable in full.
- Include the mandatory VPA 2024 carve-outs — as above.
- Have genuine consideration — both parties must receive something of value (the mutual exchange of confidentiality, or payment, or access to information).
- Be signed by both parties — unsigned NDAs are not binding.
What to include in a UK NDA
- Full legal names and addresses of all parties
- Clear definition of what constitutes confidential information
- Clear definition of what is excluded (already public knowledge, independently developed, etc.)
- Permitted purposes — why the information is being shared
- Obligations of the receiving party (keep confidential, limit internal disclosure, return/destroy on request)
- Duration of confidentiality obligations
- Mandatory VPA 2024 carve-outs
- Consequences of breach (injunction, damages, specific performance)
- Governing law (England and Wales)
- Signature blocks for all parties
Common NDA mistakes
- Not including the VPA 2024 carve-outs — renders key provisions void
- Trying to cover too much — overly broad NDAs are partially or wholly unenforceable
- No defined duration — courts may imply a reasonable period but this creates uncertainty
- Not signing — an NDA must be signed by all parties to be binding
- Using a US NDA template — US and UK NDA law differ significantly; US templates often miss UK-specific requirements
- Using it to cover wrongdoing — any attempt to use an NDA to hide a crime or prevent a victim from getting help is now a criminal offence