Non-disclosure agreements (NDAs) are a common tool used by businesses to protect confidential information in commercial arrangements, employment contracts and settlement agreements. Recent changes to the law have now limited how NDAs can be used, particularly where they involve allegations of criminal conduct.
From 1 October 2025, new rules under Section 17 of the Victims and Prisoners Act 2024 (the VPA) came into force in England and Wales. These rules make clear that NDAs can no longer prevent certain disclosures by individuals who are – or reasonably believe they are – victims of crime. Even if a confidentiality clause has been signed, it cannot be enforced to stop someone from, for example, speaking to the police or seeking professional help.
The aim of this reform is to ensure NDAs are not misused to silence victims or conceal unlawful behaviour. In this blog, we outline what these changes mean for businesses and what steps may now need to be taken in response.
What are NDAs?
NDAs are legal agreements that impose confidentiality obligations on certain information shared between parties. They are commonly used in a range of settings, from commercial transactions to employment relationships, to prevent the unauthorised sharing of sensitive information.
In the employment context, NDAs are often used in settlement agreements following a dispute or workplace issue and they can restrict what a departing employee can say about the circumstances of their exit. While these clauses can serve a legitimate purpose, they must also comply with the law, particularly where the agreement relates to misconduct or criminal behaviour.
NDAs before the new law
Even before the changes introduced by the VPA, there were already limits on how NDAs could be used.
Under the common law, an NDA could never lawfully prevent someone from reporting a crime to the police or appropriate authorities – any clause attempting to do so would be void as a matter of public policy. Similarly, NDAs cannot override whistleblowing protections. Section 43J of the Employment Rights Act 1996 (the ERA) provides that any clause seeking to stop a worker from making a ‘protected disclosure’ – such as reporting criminal activity or wrongdoing – is unenforceable.
That said, before the new law, NDAs could still be used to restrict disclosures in other contexts. For example, an NDA could prevent individuals from speaking to therapists, support services or even close family members about what had happened, unless other legal protections applied. The VPA changes this by introducing a statutory list of ‘permitted disclosures’ that NDAs signed on or after 1 October 2025 can no longer restrict.
Permitted disclosures under the new law
Under Section 17 of the VPA, NDAs signed on or after 1 October 2025 cannot prevent a victim of crime from sharing information about the criminal conduct with certain people for specific purposes. Importantly, the law protects not only confirmed victims of criminal offences, but also anyone who reasonably believes they are a victim of crime. There does not need to be a police report, investigation or conviction for someone to be considered a victim for these purposes.
These legally permitted disclosures include telling or consulting with the following, for the stated purposes:
- Police or enforcement authorities to report the crime or assist in an investigation/prosecution. This covers not only the police, but also bodies like the Health and Safety Executive, Serious Fraud Office or other regulators that investigate crime.
- Qualified lawyers to seek legal advice about the matter. The lawyer must be properly authorised to practice, for example a solicitor or barrister, so that victims can obtain confidential legal advice.
- Regulated professionals to obtain professional support related to the incident. This means the victim can speak with an individual entitled to practice a regulated profession, such as a doctor, therapist or social worker, in order to get help. For instance, a victim could talk to a doctor or therapist about the trauma.
- Victim support services to access support from charities or organisations that assist people affected by crime (such as counselling services or specialist support helplines). These services provide confidential, independent support to help victims cope and recover.
- Regulators of a regulated profession to cooperate in an investigation of the conduct. For example, if the crime involves a regulated professional, like a doctor or lawyer, the victim can share information with the relevant regulatory body if asked, to help the regulator’s investigation.
- Authorised representatives of the above – this ensures there are no practical barriers to seeking help. If someone is officially authorised to receive information on behalf of any of the above groups, the victim can disclose to that person as well. For example, it would cover a receptionist or intake staff member at a law firm or an interpreter assisting the police.
- Close family members, specifically the victim’s child, parent or partner for the purpose of obtaining emotional support. In other words, an NDA cannot stop a victim from confiding in these closest family members about what happened, so they do not have to suffer in silence.
Any NDA clause that tries to forbid a victim from talking to any of the above people for those purposes will be unenforceable. In practice, an NDA can still include confidentiality obligations, but those obligations cannot bar a victim of crime from seeking help or reporting the issue through these channels.
What disclosures are not protected?
While the VPA significantly expands who victims can talk to, it does not give carte blanche to ignore confidentiality agreements entirely. Some disclosures will still breach an NDA if they do not fall under these protections. Some key points to remember include:
- Public revelations remain restricted
If the primary purpose of a disclosure is to release the information to the general public, it will not be protected by the new rules. For example, you cannot bypass an NDA by telling a permitted person with the intention that they will broadcast the information to the media. Using an allowed channel as a conduit to leak information publicly would still violate the NDA.
- Only crime-related information is covered
The protection only applies to discussing the relevant criminal conduct. If an individual also learned confidential business information or trade secrets under the NDA, those unrelated details still must be kept secret. In short, sharing information that is not about that alleged crime is not a ‘permitted disclosure’ and could breach the NDA. The VPA does not give a free pass to leak all confidential information – it is narrowly focused on the facts of the criminal conduct and obtaining help regarding that conduct.
- Disclosures to other parties not on the list remain risky
If a victim shares information with people outside the permitted channels, the NDA could still be enforced (unless another legal exception applies). For instance, telling a friend or a more distant relative, or posting details in an online forum, would not be protected under the VPA. Victims should be cautious to confine their discussions to the allowed groups, otherwise they might be in breach of contract.
Other legal protections and exceptions
It is worth noting how these new changes sit alongside other existing legal rules on NDAs and confidentiality.
Common law and public policy: As mentioned, even before these new provisions, the law has never allowed NDAs to stop someone from reporting crimes to the police or regulators – such clauses are void as a matter of public policy. Section 17 of the VPA essentially reinforces that principle in statute and extends it further to cover additional forms of disclosures for NDAs signed on or after 1 October 2025. In practice, this means that even an NDA signed before 1 October 2025 could not lawfully prevent a person from reporting a criminal offence to the authorities.
Note: The VPA is not retroactive, so older NDAs remain subject to the old rules – aside from the fundamental exceptions that already existed for crime reporting and whistleblowing.
Whistleblowing: Employees or workers who blow the whistle on wrongdoing have statutory protection under the ERA. Section 43J of the ERA continues to invalidate any agreement clause that attempts to prevent a worker from making a ‘protected disclosure.’ In other words, any NDA clause that tries to stop a worker from whistleblowing about issues such as criminal activity, health and safety dangers or other specified wrongdoing is unenforceable by law and has been for years. The new NDA reforms do not change whistleblowing laws – those remain intact. In practice, if wrongdoing covered by an NDA is also a workplace issue, a worker can still safely report it to the appropriate regulator or enforcement body as a whistleblower. What section 17 adds is clarity that even non-workers (or disclosures outside the ERA’s list of protected disclosures) are protected in the situations described above. Businesses should always ensure NDA wording does not conflict with whistleblowing rights. Since any conflicting clause would be void anyway, most businesses already include a whistleblowing carve-out in their confidentiality agreements as a precaution.
Higher Education sector NDAs: Separately from the VPA, there is a new rule affecting universities and colleges. Under the Higher Education (Freedom of Speech) Act 2023, from 1 August 2025, higher education providers in England and Wales cannot use NDAs when dealing with complaints of sexual harassment, abuse or any other form of bullying or harassment by students or staff. Any NDA made in those circumstances after that date is legally void. This is part of a broader effort to prevent misuse of NDAs in campus misconduct cases. While this is a distinct reform, it aligns with the overall trend of ensuring victims (in this case, in education settings) are not pressured into silence. Businesses outside the education sector are not directly affected by that law, but it underscores growing scrutiny on NDAs.
Conclusion
Businesses should revisit their NDA templates, ensure their teams understand the new limits, and update any processes where NDAs are used, especially in employment or settlement agreements. Including clear carve-outs for these permitted disclosures (such as communications to police, legal advisors or support services) will help reduce legal risk and show that your business understands the boundaries under the new rules.
NDAs are still useful tools, but they must be handled more carefully than before. If you are unsure how these changes apply to your contracts, do not hesitate to contact our expert team for guidance here. You can reach out to Neil Williamson or Colin Lambertus directly and we will be happy to assist.
