How-to guide: How to draft a confidentiality agreement (UK)

Introduction

This guide sets out the key considerations to address when drafting and negotiating a confidentiality agreement (also known as a non-disclosure agreement or NDA), both from the perspective of the receiving party and the disclosing party.

The guide covers:

Overview: legal framework of confidential information
Risks with reliance on the law of confidence
What is a confidentiality agreement?
When should a confidentiality agreement be used?
Limits to protection of confidential information
What should be included in a confidentiality agreement?
Other considerations to include in a confidentiality agreement
Practical guidance, tips and strategies for effective negotiation and drafting of a confidentiality agreement

This guide can be used in conjunction with the following How-to guides: How to ensure compliance with the GDPR, How to reduce the risk of a GDPR data breach, How to negotiate and draft governing law and jurisdiction clauses in a commercial agreement and Checklists: What to consider when reviewing a confidentiality agreement, Ensuring a contract is valid, What to consider when reviewing terms and conditions for the purchase of goods and services (buyer’s perspective) – B2B, Supplier contracts and unforeseen events and Lawful processing of personal data under the GDPR.

Section 1 – Overview: legal framework of confidential information

Legal protection for confidential information is derived from the law of confidence under English common law, which offers some protection against the unauthorised sharing of confidential information. The unauthorised use of confidential information and/or its public disclosure may give rise to an action for breach of confidence in certain circumstances. An action for breach of confidence is based on equitable principles that the recipient of information is bound by their conscience to treat the information as confidential.

Information will be protected under the law of confidence only where it is imparted in a situation that imposes an obligation of confidence on its recipient. In certain circumstances, other considerations may override these obligations of confidentiality. For example, a court may order disclosure pursuant to a freedom of information request under the Freedom of Information Act 2000.

Please note the equitable doctrine of confidence or confidentiality is mainly relied on where sensitive and valuable confidential information cannot otherwise be protected by intellectual property rights, for example, as a copyright work. Some information may contain or include intellectual property rights that can be protected by registration, such as a registered trade mark for a brand or logo, a registered design for certain designs, or a patent for an invention.

In a commercial context, reliance on the law of confidence is not a proper substitute for a signed confidentiality agreement. This is because it may be difficult to:

establish that the receiving party is bound by a duty of confidence; or
define the precise scope of use of the confidential information that the receiving party is permitted to make.

Where parties wish to share confidential information in a commercial context, whether on a one-way or a mutual basis, they will generally enter into a confidentiality agreement to ensure that there are terms that govern the basis upon which the information is to be shared. By doing so, the parties are able to precisely define and/or limit the uses that may be made of the confidential information shared between them. The parties can also use the confidentiality agreement to set out the remedies which should apply in the event of any breach of their respective obligations of confidentiality.

Section 2 – Risks with reliance on the law of confidence

There are several risks and limitations of relying on the common law of confidence, rather than a formal confidentiality agreement, as a means of protecting confidential information:

Information must be confidential in nature, ie, it must have the necessary ‘quality of confidence’. Trivial information may lack this necessary quality of confidence. In addition, commercial information that has entered the public domain is regarded as having lost its quality of confidence, meaning it is no longer protected;
A party seeking to protect information as confidential needs to establish that the receiving party is bound by an equitable obligation of confidentiality. This will be:
- due to the relationship between the parties, eg, employer/employee or lawyer/client; or
- because the receiving party should reasonably have understood that the information was being shared under an obligation of confidence, eg, being asked to look after a collection of private correspondence. Depending on the circumstances of the case, this obligation may be difficult to establish. There is likely to be uncertainty as to the precise restrictions on use and disclosure of the confidential information by which the receiving party is bound.

In short, reliance on common law confidentiality obligations is unlikely to provide robust protection for controlling the uses made of confidential information shared with another party. It runs the risk that the receiving party may use the information received for unauthorised purposes and/or place it in the public domain, whether deliberately or inadvertently.

If a commercial agreement does not include provisions relating to the sharing of confidential information, in the event of a dispute it may be possible to seek to argue that a contractual term relating to confidentiality obligations should be implied into the agreement. However, this is beyond the scope of this How-to guide, which is concerned with the drafting and negotiation of standalone confidentiality agreements.

Section 3 – What is a confidentiality agreement?

A confidentiality agreement is an agreement which governs the sharing of confidential information between parties for a defined purpose. This purpose is typically evaluating whether the parties to the agreement wish to enter a potential business relationship, transaction or project together. A confidentiality agreement is a contract and, where it is subject to English law, a court will apply standard principles of English contract law to its interpretation and enforcement.

Section 4 – When should a confidentiality agreement be used?

A confidentiality agreement should be entered into, in order to govern the terms on which the confidential information is to be shared, if a party’s intention is to:

disclose confidential information to another party (the ‘receiving party’);
ensure that the receiving party is bound by a duty of confidentiality in relation to the information disclosed; and
control the uses which the receiving party may make of the confidential information.

Where confidential information is to be shared between the parties, with each party both sharing its confidential information and receiving confidential information from the other party(ies), mutual obligations of confidentiality should be put in place. For example, if the parties were considering exploring a potential business relationship, transaction or project with each other, there is likely to be a need for mutual sharing of business, financial, marketing or technical information.

Section 5 – Limits to protection of confidential information

The signing of a well-drafted confidentiality agreement does not provide total comfort that information shared with another party will not be disclosed against the original disclosing party’s wishes. See section 6.7 for permitted exceptions to the duties of confidentiality.

Before disclosing confidential information to another party, careful consideration should be given to the impact to a business if any of its confidential information it discloses to another party subsequently enters the public domain. This could either be as a result of the receiving party being ordered to disclose the information by virtue of a court order or because of deliberate/accidental disclosure by the receiving party. There may be some information, eg, trade secrets or unprotected patentable inventions, which the disclosing party may decide against sharing even under a confidentiality agreement. As the Intellectual Property Office points out in its guidance on non-disclosure agreements (NDAs), ‘the best way to keep something confidential is not to disclose it in the first place’.

Section 6 – What should be included in a confidentiality agreement?

The precise terms and conditions to include in a confidentiality agreement will be determined by the nature of the confidential information and the purpose for which it is to be shared. However, certain issues need to be addressed. These include:

an appropriate definition of confidential information and details of the parties;
clarity on whether confidentiality obligations are one-way or mutual;
details of permitted uses or purposes;
no wider purpose and no grant of rights;
issues arising with specific types of confidential information;
restrictions on disclosure of confidential information;
permitted exceptions to duties of confidentiality;
duration of confidentiality obligations;
storage of confidential information;
duration of confidentiality obligations;
inadequacy of damages;
destruction or return of confidential information;
exclusivity, existence of agreement and status of negotiations; and
indemnities.

These issues are considered in further detail below.

6.1 Definition of confidential information and details of the parties

Consider the following points when defining ‘confidential information’ for the purposes of the agreement:

A confidentiality agreement will often define confidential information in broad terms, eg, ‘all information disclosed by one party to the other whether disclosed verbally, in writing, or electronically or otherwise, and which by its nature is capable of being treated as confidential, shall be treated as ‘confidential information'’.
In the interests of clarity, the definition of confidential information may also include a non-exhaustive list of categories of information which will be regarded as confidential. For example:
- trade secrets (however, exercise caution before including trade secrets in the definition, and before disclosing any trade secrets – is the disclosure strictly necessary? Consider the risks if the trade secret were to enter the public domain);
- sensitive business, financial, marketing or technical information; or
- intellectual property (where not in the public domain).
A confidentiality agreement may also define confidential information in more narrow terms where the parties are concerned with sharing specific categories of information only. For example, the confidentiality agreement may state that information shall be treated as confidential information only where:
- it is labelled as confidential by the disclosing party (the risk with this is, if the disclosing party intends, but inadvertently fails, to label information as confidential as it may not then be protected as confidential information); and
- with respect to information shared verbally, it is stated to be confidential by the disclosing party at the time of making the disclosure (the risk with this is that, if there is ever a dispute as to whether such information should be protected by confidentiality obligations, the disclosing party will bear the burden of proof in showing that it stated the information was confidential).
Information in the public domain prior to a confidentiality agreement entering into force cannot be protected as confidential under the agreement. The agreement should expressly acknowledge this.
A confidentiality agreement will generally include defined terms for the disclosing party/discloser and the receiving party/receiver/recipient. In the case of a mutual confidentiality agreement each party may be both a discloser and a receiver.

6.2 One-way or mutual obligations

A confidentiality agreement may impose one-way obligations where confidential information is shared by one party to the other, but not vice versa. More commonly, the information sharing will be two-way (or mutual where there are more than two parties), and the obligations of confidentiality will therefore be mutual.

For example, where an inventor wishes to share details of their invention with potential investors, a one-way confidentiality duty may be appropriate. However, two or more parties wishing to share information for the purpose of evaluating whether or not to enter into a commercial relationship together will wish to impose mutual duties of confidentiality.

6.3 Permitted uses or purposes

A confidentiality agreement should clearly define the uses that the receiving party may make of the confidential information it receives from the disclosing party. These approved uses are often labelled ‘permitted uses’ or ‘permitted purposes’. A confidentiality agreement will often describe the permitted purposes by reference to the purpose for which the parties wish to enter into the confidentiality agreement in the first place. An example would be that the receiving party may use confidential information received for the purpose of evaluating whether it wishes to enter into the proposed business relationship with the disclosing party, for example for the sale or purchase of the disclosing party’s business.

A confidentiality agreement may sometimes set out specific restrictions on the uses which a receiving party may make of confidential information it receives under the agreement, eg, where the disclosing party discloses information that is protected by intellectual property rights in its favour. Where possible the uses/purposes should be as specific as possible to avoid the risk that the receiving party may use the information for purposes beyond those originally anticipated by the disclosing party.

If confidential information is received from a party and is inputted into an artificial intelligence (AI) system, this may be deemed to be a ‘disclosure’ or ‘disclosee’ which may not be covered explicitly in the agreement. Consideration needs to be given to whether this is relevant for the purposes of the information being disclosed and if the receiving party is using AI systems when receiving or storing confidential information of the other party. If relevant, the agreement should expressly allow the AI system to be included as a permitted recipient, as well as any restrictions as to what the AI system is permitted to do, or not do, with the information (in particular for highly sensitive information), and any retention or storage obligations. On a practical level, both the discloser and the recipient are advised to conduct internal risk assessments to determine if AI systems are likely to be involved in the receiving, storage and use of, any confidential information.

6.4 No wider purpose and no grant of rights

A confidentiality agreement will generally state that:

Neither party is obliged to enter into any commercial agreement with the other party, whether in relation to the potential business relationship, transaction or project under contemplation or otherwise.
Each party reserves in full its rights in relation to the confidential information which it shares under the agreement.
Nothing in the agreement grants any rights or interests in favour of the receiving party regarding the confidential information it receives.

The parties may also wish the agreement to expressly state that it is not intended to grant or confer any licence, right or interest in intellectual property rights in favour of the receiving party.

In general, neither party will usually make any warranty or representation with regard to the confidential information it shares with the other party and, in particular, usually makes no warranty or representation as to the accuracy or completeness of the confidential information, or about any reliance by the receiving party on the confidential information. A confidential agreement will often contain a disclaimer to this effect.

6.5 Issues arising with specific types of confidential information

Additional considerations may apply when the confidential information to be shared includes specific categories of information. For example, parties wishing to share ‘personal data’ pursuant to a confidentiality agreement will need to ensure that the sharing and storage of this data is undertaken in accordance with applicable data protection laws. For further guidance, see How-to guide: How to ensure compliance with the GDPR.

6.6 Restrictions on disclosure of confidential information

It will often be necessary for the receiving party to share confidential information received under a confidentiality agreement with other persons such as certain employees, consultants or external professional advisors. From the perspective of the disclosing party, it will be important to control this disclosure and to ensure that rights are suitably limited in scope. A confidentiality agreement will generally address these issues by including a definition of ‘authorised representatives’, ‘authorised persons’ or ‘permitted disclosees’ with whom confidential information may be shared.

The disclosing party may also require that these persons are bound by obligations of confidentiality with respect to the confidential information which is disclosed to them. A disclosing party may seek to require the receiving party to procure that these persons enter into (or are already subject to) a confidentiality agreement with the receiving party which imposes equivalent obligations of confidentiality on them to those imposed on the receiving party under the principal confidentiality agreement.

Where a disclosing party wishes to ensure even stricter control of any further disclosure of confidential information, it may:

seek to limit this onward disclosure to a list of named persons or entities (as opposed to categories of persons or entities);
require the receiving party to obtain prior written approval for any wider disclosure; and/or
attempt to make the receiving party liable for any acts or omissions by the ‘authorised representatives’ of unauthorised disclosures, as if the acts or omissions were committed by the receiving party itself.

Bear in mind that these requirements are fairly onerous for the receiving party and are often resisted (although it is reasonable to expect the receiving party to remain liable for ‘authorised representatives’ as the expectation is that the receiving party has the direct contractual relationship with them and therefore a greater degree of oversight and control over them than the disclosing party). The outcome of disagreements over whether such obligations should be imposed on the receiving party will normally turn on the relative bargaining power of the parties.

6.7 Permitted exceptions to duties of confidentiality

A confidentiality agreement will generally contain the following permitted exceptions to the duties of confidentiality:

information which is already publicly available or becomes publicly available otherwise than as a result of any act or omission by the receiving party;
information which was known to the receiving party prior to it entering into the confidentiality agreement otherwise than as a result of any breach of confidence owed to the disclosing party; and
information which a party is required to disclose by way of order of a court of competent jurisdiction, regulatory body or tax authority.

The precise terms of any permitted exceptions may be the subject of negotiation between the parties. A disclosing party may seek to make this right of disclosure subject to a duty on the receiving party:

to give the disclosing party prior notice of any proposed permitted disclosure; and
where practicable, to give it the opportunity (at its own expense) to challenge any court order requiring disclosure of the information.

For example, the following wording may be used:

‘Where such disclosure is compelled by law (including where the Receiving Party is obliged to disclose information under the UK Freedom of Information Act 2000), and where it is permitted to do so, the Receiving Party shall provide the Disclosing Party with prompt notice of any efforts to compel disclosure and will reasonably co-operate with the Disclosing Party’s lawful attempts to challenge any such order for disclosure and shall make such disclosure only pursuant to a final court order to do so.’

From the perspective of the receiving party such obligations can be difficult and impractical. The receiving party’s priority will be to ensure that it has the unrestricted ability to comply with a court order for disclosure of confidential information and it may therefore resist any proposal by the disclosing party to include in the confidentiality agreement the requirements listed above; it will normally come down to the respective bargaining power of the parties.

In some circumstances it may not be practicable for the receiving party to give prior notice of a disclosure, eg, due to the tight timescale given for compliance with a court order or where prior notice would constitute an offence, such as tipping off. The disclosing party may request that, in this situation, the receiving party should provide prompt notification to the disclosing party of a required disclosure prior to any such disclosure being made, but only when legally permitted to do so.

A confidentiality agreement will typically address permitted exceptions to the obligations of confidentiality in one of two ways. It may provide that:

the information shall cease to be regarded as confidential information in certain circumstances, eg, where it enters the public domain otherwise than as a result of the breach of obligations under the agreement; or
the confidentiality obligations shall not apply to any information which enters the public domain otherwise than as a result of the breach of either party of its obligations under the agreement.

6.8 Storage of confidential information

The confidentiality agreement may impose duties on the receiving party as to how it stores the confidential information it receives. These duties are sometimes drafted in generic language such as:

‘the receiving party shall store the Confidential Information in accordance with the same standards of security which it uses to store its own confidential information’
or
‘the receiving party shall put in place adequate safeguards to protect against the unauthorised disclosure of or access to the Confidential Information which it receives’

A confidentiality agreement may also set out specific duties for the receiving party with regard to the storage of both hard copies and electronic copies confidential information which it receives. For example, it may require that the receiving party stores hard copies in particular locations and limit storage of electronic copies on certain computers (for example, the receiving party’s computers only). Also see guidance above at section 6.5.

6.9 Duration of confidentiality obligations

A confidentiality agreement will typically state that either party may, at any time, terminate the discussions or negotiations to which the confidentiality agreement relates.

The obligations of confidentiality will generally be stated to survive the termination of the agreement. The parties should consider whether it is necessary for the obligations to continue indefinitely or whether it is sufficient for them to continue for a defined period of time only. The continuation of obligations of confidentiality for an unlimited period of time (until the information enters the public domain) may be regarded as offering the greatest protection to a disclosing party. However, from the perspective of a receiving party this approach may be highly onerous and may conflict with its own internal record keeping or document retention policies.

Parties are free to negotiate whatever time limit they wish to impose: limits of anywhere between one and five years are commonly agreed. The duration will depend on the nature of the confidential information in question, the purpose for which it is shared and the shelf-life of the information (ie, for how long it is likely to be useful and should be protected by confidentiality obligations). The time limits chosen should be sufficient to protect confidentiality for as long as the parties consider to be necessary, but confidentiality duties should not continue indefinitely without good reason.

6.10 Inadequacy of damages

The purpose of a confidentiality agreement is to protect the confidentiality of the information shared between the parties. A disclosing party will therefore be principally concerned with legal remedies to prevent unauthorised disclosure of the information shared. The right to recover damages for a breach of the agreement will be a secondary concern.

A confidentiality agreement should clearly state that:

the parties acknowledge and agree that an award of damages would not by itself be an adequate remedy for breach of the obligations of confidentiality; and
each party shall be entitled to seek equitable relief (including injunctions and orders for specific performance) with respect to any breach or threatened breach.

Inclusion of these provisions is not binding on a court; the court has discretion over whether to award equitable relief, eg, to grant an injunction or make an order for specific performance. However, a court will take into account the stated belief of the parties as to the inadequacy of damages when reaching its decision.

6.11 Destruction or return of confidential information

A confidentiality agreement should provide for the treatment of confidential information following the expiry or earlier termination of the agreement. The parties will generally include terms which set out whether the receiving party is required to immediately following expiry or earlier termination of the agreement destroy or deliver up to the disclosing party all copies of the confidential information which are in its possession or control.

The precise terms of these arrangements are often the subject of negotiation between the parties. The disclosing party may wish to insert the following terms:

a requirement on the receiving party to destroy all confidential information received and/or to deliver it up to the disclosing party;
application of these duties to any copies of the confidential information which have been made by the receiving party, and even to documents and materials created by the receiving party which contain any or all of the confidential information in question; and
provision of a sworn statement from a company director that all such obligations have been complied with.

Compliance with these types of obligations can be difficult for the receiving party in terms of time and costs. It may also be difficult for the receiving party fully to comply, eg, where information is stored electronically. The receiving party may therefore resist agreeing to some of the stricter forms of obligation and may seek to limit its duties in this regard to:

taking ‘all reasonable steps’ or ‘all proportionate measures’ to ensure that such actions are completed; or
deleting such information ‘to the extent it is technically practicable to do so’.

It may also seek permission to retain copies of the confidential information in question in its electronic archives provided that such archived copies are no longer readily accessible to its staff etc.

Ultimately, it will be a matter of negotiation between the parties as to the precise terms agreed.

6.12 Exclusivity, existence of agreement and status of negotiations

A confidentiality agreement may also address the following issues:

A confidentiality agreement may contain language stating that, for its duration, each party undertakes not to enter into negotiations with any other party with respect to the business relationship, transaction or project under contemplation between them. Language to this effect is not a default term of a confidentiality agreement and is included only where the parties agree it is necessary under the circumstances.
Sometimes the parties may wish to keep confidential the existence of the confidentiality agreement and/or its purpose, ie, the potential business relationship, transaction or project under contemplation (as this information itself may give away more than the disclosing party is prepared to give at that stage and put it at a competitive disadvantage). They may insert a clause to this effect into the confidentiality agreement.
The parties may wish to expressly state that the status of any negotiations which are taking place pursuant to the ‘permitted purpose’ should be kept confidential.
The parties may also wish to state that any press release, or other form of public announcement, about any commercial agreement entered into between the parties subsequent to the fulfilment of the purpose of the confidentiality agreement shall be subject to prior written approval of both parties.

6.13 Indemnities

Whether to include indemnities in a confidentiality agreement is a matter of negotiation between the parties; it is not a default term that is always included.

In certain instances, the parties may be in agreement that mutual indemnity language should be included in relation to breaches of their respective confidentiality obligations, eg, where information of a very high commercial value or sensitivity is being shared. However, in other instances it may be that one party is disclosing more confidential information (or more commercially sensitive or valuable confidential information) than the other party and, because of the higher risk to the disclosing party seeks indemnity protection from the receiving party for breach of the agreement. This could apply where a confidentiality agreement relates to the one-way sharing or predominantly one-way sharing of confidential information. This is a matter for negotiation between the parties.

Section 7 – Other considerations to include in a confidentiality agreement

A confidentiality agreement is a contract. Consider inclusion of standard boilerplate contract terms as used in other commercial contracts (especially those which are necessary to ensure that a valid and legally binding agreement has been entered into and that the respective rights and obligations of the parties as set out in the agreement may be enforced effectively). Common boilerplate contract terms to include in a confidentiality agreement include interpretation, assignment, and entire agreement clauses.

7.1 Governing law and court jurisdiction

Several factors need to be considered when negotiating the governing law and jurisdiction terms for a confidentiality agreement:

Where both parties are UK-incorporated entities, it will generally suit them for the agreement to be made subject to English law and the jurisdiction of the English courts.
Parties sometimes prefer to state that English courts are given ‘non-exclusive’ jurisdiction, rather than ‘exclusive’ jurisdiction, to resolve disputes. This leaves open the possibility for either party to pursue legal action in another country if it believes that an unauthorised disclosure has been made there in breach of the terms of the agreement (and/or if the laws of another country may be more favourable to it as a claimant).
Where one of the parties is incorporated outside the UK or is a large multi-national company the question of governing law and jurisdiction will often be the subject of negotiation. In such cases the parties may sometimes settle on a neutral third country governing law and jurisdiction to try to ensure a more balanced position.

For further guidance, see How-to guide: How to negotiate and draft governing law and jurisdiction clauses in a commercial agreement.

7.2 Consideration

A confidentiality agreement that involves genuine two-way sharing of confidential information will constitute sufficient consideration for the purpose of creating a legally binding agreement. A confidentiality agreement that is one way only may need to be executed as a deed to make it enforceable. Note that, if a one-way confidentiality agreement is all that is needed in practice, it is advisable not to use a two-way (or mutual) confidentiality agreement purely to try and avoid having to consider the practicalities involved in entering into a one-way agreement (ie, whether to have to execute as a deed or to include nominal consideration).

Section 8 – Practical guidance, tips and strategies for effective negotiation and drafting of a confidentiality agreement

Key guidance, tips and strategies for effective negotiation and drafting of a confidentiality agreement include the following:

It is critical that the term ‘permitted purposes’ is defined very clearly and precisely. Ambiguity as to its scope creates a risk of differences of understanding between the parties. There may be uncertainty as whose view would prevail in the event of any dispute.
Think about how long the obligations of confidentiality will need to last. There is no need to make them continue indefinitely where the information to be shared will enter the public domain (other than through breach of the confidentiality agreement) or lose its commercial value within a short period of time. Ensure the term of the confidentiality obligations is relevant and appropriate given the applicable confidential information.
Resist pressure to share confidential information prior to a fully executed confidentiality agreement being put in place as doing so risks the information being used for purposes outside the intended permitted purposes, or shared with third parties and/or being put into the public domain. If such an event, the disclosing party would be forced to rely on the law of confidence which, as discussed at section 2 above, may not provide the desired protection.
You should always carefully review the terms of a confidentiality agreement prior to signing it. Whilst many confidentiality agreements are formulaic and balanced, it is important to check that each confidentiality agreement is not one-sided, or that it seeks to impose overly onerous or otherwise unreasonable terms, for example in relation to restrictions on the receiving party’s future activities.
It is also important to ensure that a confidentiality agreement is signed by an authorised representative of each party. This may, for example, be a director of a contracting party’s company or someone else with appropriate authority to give the undertakings set out in the confidentiality agreement.
Also consider what arrangements need to be made to ensure relevant members of staff receiving or disclosing confidential information are made aware of, and will at all times comply with, the obligations set out in the agreed confidentiality agreement.

For further guidance, see ‘Use of non disclosure agreements’ issued by the Solicitors Regulation Authority.

Additional resources

GOV.UK: Non-disclosure agreements (NDAs)

How-to guide: How to draft a confidentiality agreement (UK)