UK Non-Disclosure Agreement | Coco v A.N. Clark Test

A non-disclosure agreement is a written contract under which one party (the discloser) shares information and the other (the recipient) agrees to keep it secret and use it only for an agreed purpose. In a one-way NDA, only one side discloses, which fits early supplier or freelancer briefings where the information flows in a single direction. In a mutual NDA, both sides disclose and both owe duties, the usual choice for a joint venture, a merger discussion or any conversation where each party shows the other its numbers.

People treat NDA and confidentiality agreement as interchangeable, and in practice they are. The label matters less than the substance: a tight definition of confidential information, a narrow purpose, sensible carve-outs and a credible remedy. What an NDA does not do is hand you a monopoly over an idea. It protects the specific information you disclose under it, not the general concept. If your real value sits in code, a brand or a design, you will usually need IP assignments and contractor terms alongside the NDA, a point worth raising before you build a whole company strategy on confidentiality wording alone. For the constitutional and ownership side of that picture, our articles of association template for UK limited companies handle share rights and reserved matters that an NDA never touches.

An NDA in England and Wales does not sit in a statute of its own. It works on two legs: ordinary contract law, and the equitable doctrine of breach of confidence. The leading authority is Coco v A.N. Clark (Engineers) Ltd [1969] RPC 41, where the court set the three-part test that still governs today. The information must have the necessary quality of confidence (it cannot be trivial or already public), it must have been shared in circumstances importing an obligation of confidence, and there must be unauthorised use to the discloser's detriment. A well-drafted NDA does not replace this doctrine; it sharpens it, recording exactly what is confidential and putting the obligation beyond argument.

Statute reinforces the position. The Trade Secrets (Enforcement, etc.) Regulations 2018 protect information that is secret, has commercial value because it is secret, and has been subject to reasonable steps to keep it so, which is precisely why your NDA should require "need-to-know" handling rather than loose circulation. Where the information includes personal data such as customer names or purchase history, the UK GDPR and the Data Protection Act 2018 apply on top, and you may need a separate data processing agreement, not just confidentiality wording. You can check the current statutory text through the UK government's official guidance on data protection and the Data Protection Act 2018.

One recent reform reshapes what an NDA can lawfully restrict. Since 1 October 2025, section 17 of the Victims and Prisoners Act 2024 means a confidentiality agreement cannot stop someone who is, or reasonably believes they are, a victim of crime from reporting it to the police, seeking legal advice, or obtaining medical or victim-support help. An NDA that tries to gag a victim of criminal conduct is unenforceable to that extent. The protection is narrow: it covers disclosures about the criminal conduct itself, not unrelated trade secrets the recipient happened to learn under the same agreement. Drafting that ignores this carve-out risks the whole confidentiality clause being read down.

The classic moment is the pre-contract conversation. An entrepreneur wants to show an investor the financial model, or a founder needs to brief a freelance developer on the architecture before any work order exists. There is no main contract yet to carry confidentiality terms, so the NDA is the precursor that protects you in the gap. Once you formally engage the other side, confidentiality should migrate into the main agreement, which is why our partnership agreement template for UK businesses and similar deals carry their own confidentiality wording going forward.

You also reach for an NDA the moment you open a sale or fundraising process. A potential buyer doing due diligence will see your supplier terms, margins and customer list, and you want all of that handled under a defined purpose ("to evaluate a proposed transaction") with nothing reused if the deal collapses. Mutual NDAs earn their keep here, because each side is exposing its own numbers.

Two edge cases are worth flagging. First, where the recipient will pass information to its own advisers or insurers, your NDA should require a back-to-back obligation so those third parties are bound on the same terms, otherwise the chain breaks at the first sub-disclosure. Second, with anyone based outside the UK, choose English law and the English courts expressly, and ask the overseas party for a UK service address. Serving injunction proceedings abroad is slow, and on a leak speed is everything.

• The definition of Confidential Information is the cornerstone of the whole agreement. It is drafted to the Coco standard and lists categories with real examples (business plans, source code, pricing models, customer data) rather than a vague "anything we tell you", because merely stamping something confidential does not give it the necessary quality of confidence a court will protect.
• The permitted purpose clause limits use to the single reason for disclosure, such as evaluating a supply arrangement or an investment. This is what stops a recipient from quietly using your figures to build a competing offer; use outside the purpose is itself a breach.
• The carve-outs exclude information that is already public, independently developed, or lawfully received from a third party. Without these, a court may treat the definition as overbroad and unreasonable, which weakens enforceability across the board.
• The return or destruction clause lets the discloser require all copies, including notes and derived documents, to be returned or destroyed at the end of the purpose, giving you control over material you can no longer monitor.
• The remedies clause records that damages alone may not be adequate and that the disclosing party may seek an injunction, the practical weapon that stops a leak before it spreads. It avoids a fixed cash penalty, since a sum that is purely punitive rather than a genuine pre-estimate of loss is generally unenforceable in England and Wales.
• The governing law and jurisdiction clause fixes English law and the exclusive jurisdiction of the English courts, and the duration clause sets a defined term rather than an unworkable "forever", with longer survival reserved for genuine trade secrets.

This template is drafted for England and Wales, where the law of confidence and the Trade Secrets Regulations 2018 operate as described, and it is the right starting point for the overwhelming majority of UK commercial dealings. The contractual mechanics, equitable remedies and the section 17 Victims and Prisoners Act 2024 restrictions all apply here directly.

Scotland has its own legal system, and while breach of confidence is recognised, terminology and procedure differ. Interdict is the Scottish equivalent of an English injunction, and litigation runs through the Court of Session or the sheriff courts rather than the High Court. If the recipient is based in Scotland or the relationship is centred there, take advice on whether Scots law should govern instead, because an English jurisdiction clause may simply add a cross-border step.

Northern Ireland likewise has a separate jurisdiction with its own courts, though its confidentiality principles track English law closely. For most cross-UK arrangements, the cleaner approach is to choose one governing law deliberately rather than leave it implied. Do not assume an "England and Wales" clause automatically covers a Scottish counterparty. Where you are dealing with parties in more than one UK nation, a single, clearly stated governing-law clause prevents an argument about which courts hear an urgent injunction. If your wider corporate documents need to match, our shareholders' and founders' agreement options in the UK business library keep jurisdiction wording consistent across the paperwork.

You start by choosing whether the agreement is mutual or one-way, which depends on a simple question: is information flowing in both directions, or only from you? From there you name the parties, using full legal names and company numbers where a limited company is involved, so the contract binds the right entity rather than an individual by accident. Next you set the purpose, and this is the field people rush; the tighter and more specific it is, the more the rest of the agreement protects you.

You then tailor the definition of confidential information to what you are actually sharing, keeping the carve-outs in place, and you fix the duration, typically a few years for commercial information with longer survival for trade secrets. The template prompts you on the return-or-destruction option and on whether advisers need a back-to-back obligation. Finally you confirm governing law and jurisdiction, then download a clean signing copy in Word or PDF. If you would rather see the full catalogue before deciding, the complete library of UK legal document templates sits one click away, and people who need confidentiality inside a hiring relationship often pair the NDA with an employment contract from the UK employment templates.

The most common failure is an overbroad definition. Founders try to make "confidential information" cover everything, on the theory that wider is safer. The opposite is true: a court asked to enforce a definition that sweeps in public and trivial information may decline to read it sensibly, and a recipient's lawyer will argue the whole clause lacks the necessary quality of confidence. The second recurring error is shoehorning a non-compete into an NDA. Confidentiality and restraint of trade are different beasts, and a disguised non-compete is far more likely to be struck down; if you need non-solicitation or non-circumvention, draft it separately and proportionately.

Three more traps catch people repeatedly. They forget consideration, signing as a simple contract with nothing of value passing, when executing the document as a deed would have removed the doubt. They leave duration blank or write "in perpetuity", inviting a court to cut it down to a reasonable period. And they rely on the NDA as if it were a security system, sending sensitive material widely while claiming to take "reasonable steps" to protect a trade secret. An NDA is a contract, not a vault. Limit circulation to need-to-know, watermark sensitive documents, keep access logs, and act fast if you suspect a leak, because the value of an injunction evaporates once the information is out.