UK NDA Essentials: A Legal Guide

Written By Sade Rotibi


Introduction

Non-Disclosure Agreements (NDAs) are central to safeguarding sensitive information in commercial transactions. Their primary function is to create a legally binding framework that ensures confidentiality while balancing enforceability.

Under English law, NDAs operate within the broader equitable doctrine of breach of confidence, a principle shaped by landmark case law and more recently, by legislative developments. The scope of “confidential information” is wide, potentially covering trade secrets, financial data, customer lists, intellectual property, technical specifications, strategic plans, and other proprietary material of commercial value.



UK Legal Foundation: The Coco Test & Its Extensions



The modern law of confidence is rooted in Coco v A.N. Clark (Engineers) Ltd [1969] RPC 41, where Megarry J articulated the enduring three-part test for breach of confidence:


  1. Quality of confidence – the information must not be trivial or already public.

  2. Obligation of confidence – it must have been shared in circumstances importing a duty of confidentiality.

  3. Unauthorised use to detriment – misuse must cause actual or potential harm.



The Three Coco Extensions

The Coco judgment also clarified three important exclusions:

  • Public accessibility: Information readily available to the public cannot be confidential.

  • Triviality: Information of no practical or commercial value is not protected.

  • Public interest: Confidentiality may yield to a countervailing public interest.

These principles remain critical for NDA drafting, ensuring only commercially relevant information receives protection.



Expansion Toward Privacy

From the 1990s, breach of confidence began to touch on privacy. Yet in Kaye v Robertson [1991] FSR 62, the Court of Appeal confirmed there was no standalone right to privacy under English law. That gap, coupled with the Human Rights Act 1998, eventually led to the emergence of misuse of private information as a separate tort.

For businesses, the lesson is clear: confidentiality in NDAs must be grounded in commercial protection, not personal privacy.



Essential Clauses in UK NDAs

1. Definition of Confidential Information

A precise definition is the cornerstone of enforceability. It must reflect the Coco principles and UK practice.

Best practice drafting:

“Confidential Information” means all non-public, proprietary or confidential information of commercial value, whether oral, written, electronic or in any other form, including but not limited to: trade secrets, technical data, know-how, research, product plans, products, services, customers, customer lists, markets, software, developments, inventions, processes, formulas, technology, designs, drawings, engineering, hardware configuration information, marketing, finances, or other business information, whether or not marked or designated as confidential.

Confidential Information shall not include information that: (i) is generally accessible to the public other than through breach of this Agreement; (ii) lacks sufficient commercial or practical value; or (iii) is required to be disclosed in the public interest by law or court order."

2. Receiving Party Obligations & Permitted Disclosures

The NDA must set out clear duties, while acknowledging permissible disclosure routes.

UK-specific carve-outs include:

  • Legal compulsion (court order, statutory duty, regulator)

  • Disclosure to professional advisers (e.g. lawyers, accountants)

  • Compliance with regulators (e.g. FCA, ICO)

  • Limited intra-group disclosures with safeguards

Upcoming change: From 1 October 2025, the Victims and Prisoners Act 2024 restricts NDAs in employment contexts relating to harassment or sexual misconduct. Commercial NDAs should expressly carve out these statutory rights.


3. Duration & the Springboard Doctrine

Confidentiality obligations must balance commercial reality with enforceability.

The springboard doctrine prevents unfair competitive advantage even if the information later becomes public, protecting it for as long as it would reasonably take to acquire independently.

Drafting tip: Tailor protection periods to the commercial lifespan of the information, with distinct durations for different categories (e.g. technical vs financial).


4. Return or Destruction of Information

Post-termination duties should address:

  • UK GDPR obligations, including erasure rights

  • Legal privilege – carve-outs for retained legal records

  • Regulatory retention – sector-specific rules (e.g. financial services)


5. Governing Law & Jurisdiction

Jurisdiction remains a sensitive issue post-Brexit.

Considerations:

  • England & Wales vs Scotland (different legal systems)

  • Enforcement against EU parties

  • Service of process on international counterparties

  • Arbitration for cross-border disputes

Model clause:

"This Agreement shall be governed by and construed in accordance with English law. The parties irrevocably agree that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute arising out of or in connection with this Agreement."

6. Remedies for Breach

As damages alone may be inadequate, equitable remedies are essential.

  • Injunctions (prohibitory, mandatory, interim, quia timet)

  • Monetary relief (compensation, account of profits, negotiating damages)

  • Delivery up / destruction orders


Recent UK Legal Developments

Data Protection Integration: NDAs involving personal data must comply with UK GDPR, including lawful basis and subject rights.

Enhanced Disclosure Duties: Recent case law stresses that inadequate internal safeguards can undermine confidentiality.


Additional Clauses to Consider

  • Non-solicitation / non-dealing (subject to restraint of trade rules)

  • Survival provisions (obligations surviving termination)

  • Third-party rights (under the Contracts (Rights of Third Parties) Act 1999)

  • Competition law compliance (avoid anti-competitive information sharing)

Enforcement Considerations

Speed matters: Delay can defeat an injunction application.

  • Preserve evidence: Include obligations to notify and retain records in the event of breach.

  • Consider cross-border complexities: Extra care needed post-Brexit when enforcing against EU parties.


Conclusion

NDAs remain a vital commercial tool in the UK, but their enforceability depends on careful drafting that reflects both case law and statutory reform. The intersection of confidentiality, data protection and employment law (particularly post-2025) highlights the need for regular review.

This article reflects the law as at September 2025. Regular review is essential given the rapid evolution of confidentiality and data protection law.

For agreements involving significant value or cross-border transactions, specialist legal advice is strongly recommended to ensure effective protection of business interests.

Navigating the complexities of UK confidentiality law requires specialized expertise. We provide comprehensive legal support for:

  • Drafting and reviewing commercial NDAs

  • Breach of confidence litigation

  • Cross-border confidentiality agreements

  • Regulatory compliance advice

Sade Rotibi
Previous

A Strategic Guide for Foreign Investors entering the UK
Next

EU AI Act: Implications for UK Companies