Non-disclosure agreements (NDAs) are a common tool used by businesses to protect information that is confidential in commercial arrangements, employment contracts and settlement agreements. Recent changes to the law have now limited how these confidentiality agreements can be used, particularly where they involve allegations of criminal conduct or engage the public interest.
From 1 October 2025, new rules under Section 17 of the Victims and Prisoners Act 2024 (the VPA) came into force in England and Wales. These rules make clear that NDAs can no longer prevent certain disclosures by individuals who are – or reasonably believe they are – victims of crime. Even if a confidentiality clause has been signed, it cannot be enforced to stop someone from, for example, speaking to the police or seeking professional help.
The aim of this reform is to ensure NDAs are not misused to silence victims or conceal unlawful behaviour. In this blog, we outline what these changes mean for businesses and what steps may now need to be taken in response.
What are NDAs?
NDAs are a legal contract that imposes confidentiality obligations on certain information shared between parties, typically confidential and proprietary information, trade secrets, and other sensitive business information.
In the employment context, NDAs are often used in settlement agreements following a dispute or workplace issue and they can restrict what a departing employee can say about the circumstances of their exit. While these clauses can serve a legitimate purpose, they must also comply with the law, particularly where the agreement relates to misconduct or criminal behaviour.
NDAs before the new law
Even before the changes introduced by the VPA, there were already limits on how NDAs could be used.
Under the common law, an NDA could never lawfully prevent someone from reporting a crime to the police or appropriate authorities – any clause attempting to do so would be void as a matter of public policy. Similarly, such agreements cannot override whistleblowing protections, including the right to make a protected disclosure. Section 43J of the Employment Rights Act 1996 (the ERA) provides that any clause seeking to stop a worker from making a ‘protected disclosure’ – such as reporting criminal activity or wrongdoing – is unenforceable.
That said, before the new law, NDAs could still be used to restrict disclosures in other contexts. For example, an NDA could prevent individuals from speaking to therapists, support services or even close family members about what had happened, unless other legal protections applied. The VPA changes this by introducing a statutory list of ‘permitted disclosures’ that NDAs signed on or after 1 October 2025 can no longer restrict.
Permitted disclosures under the new law
Under Section 17 of the VPA, non disclosure agreements (NDAs) entered into on or after 1 October 2025 (the implementation date) cannot be used to prevent a victim of crime from making certain disclosures. This change provides clearer legal protection around when confidentiality obligations can and cannot be enforced, even where a confidentiality clause forms part of a wider legal contract.
Importantly, the protection applies not only to individuals who are confirmed victims of a criminal offence, but also to anyone who reasonably believes they are a victim of criminal conduct. There does not need to be a police report, investigation, or conviction for the disclosure to fall within the scope of the new rules.
The law sets out a defined list of permitted disclosures, allowing victims to disclose information to certain people and organisations for specific purposes, without breaching an nda agreement or other confidentiality agreements. These include:
- Police or enforcement authorities, to report the crime or assist with an investigation or prosecution. This includes not only the police, but also regulators and enforcement bodies such as the Health and Safety Executive or the Serious Fraud Office.
- Qualified lawyers, so the victim can obtain advice from legal counsel. Provided the lawyer is properly authorised to practise, the individual may share information covered by the NDA for the purpose of receiving confidential legal advice.
- Regulated professionals, such as doctors, therapists, or social workers, where disclosure is necessary to obtain professional or medical support related to the incident.
- Victim support services, including charities or organisations that provide counselling or specialist assistance to people affected by crime. These services allow victims to seek help without triggering legal action for breach of confidentiality.
- Regulators of a regulated profession, where the alleged conduct involves a professional subject to oversight, and the disclosure is made to assist with a regulatory investigation.
- Authorised representatives of any of the above, ensuring there are no practical barriers to seeking help. This may include interpreters, intake staff, or other individuals acting on behalf of the relevant authority or organisation.
- Close family members, limited to the victim’s child, parent, or partner, where the disclosure is made for the purpose of obtaining emotional support.
Any NDA or confidentiality agreement that attempts to prevent a victim from making disclosures to these parties for the purposes set out above will be unenforceable. While NDAs may still be used to protect confidential information, proprietary information, or other sensitive information, they cannot be relied on to prevent victims of crime from seeking support, advice, or assistance through these protected channels.
What disclosures are not protected?
While the VPA significantly expands who victims can talk to, it does not give carte blanche to ignore confidentiality agreements entirely. Some disclosures will still breach an NDA if they do not fall under these protections. Some key points to remember include:
- Public revelations remain restricted
If the primary purpose of a disclosure is to place the information into the public domain, it will not be protected by the new rules. The legislation does not permit individuals to circumvent non-disclosure agreements or other confidentiality agreements by disclosing confidential information to a permitted receiving party with the intention that it will result in public disclosure, such as publication by the media.
Using an otherwise permitted channel as a means of releasing information to the general public would fall outside the scope of the statutory protections and could still expose the individual to legal action for breach of the nda agreement. Even where the underlying information relates to alleged wrongdoing.
- Only crime-related information is covered
The protection only applies to discussing the relevant criminal conduct. If an individual also learned confidential business information or trade secrets under the NDA, those unrelated details still must be kept secret. In short, sharing information that is not about that alleged crime is not a ‘permitted disclosure’ and could breach the NDA. The VPA does not give a free pass to leak all confidential information – it is narrowly focused on the facts of the criminal conduct and obtaining help regarding that conduct.
- Disclosures to other parties not on the list remain risky
If a victim shares information with people outside the permitted channels, the NDA could still be enforced (unless another legal exception applies). For instance, telling a friend or a more distant relative, or posting details in an online forum, would not be protected under the VPA. Victims should be cautious to confine their discussions to the allowed groups, otherwise they might be in breach of contract.
Other legal protections and exceptions
It is worth noting how these new changes sit alongside other existing legal rules on NDAs and confidentiality.
Common law and public policy
As mentioned, even before these new provisions, the law has never allowed NDAs to stop someone from reporting crimes to the police or regulators – such clauses are void as a matter of public policy. Section 17 of the VPA essentially reinforces that principle in statute and extends it further to cover additional forms of disclosures for NDAs signed on or after 1 October 2025. In practice, this means that even an NDA signed before 1 October 2025 could not lawfully prevent a person from reporting a criminal offence to the authorities.
Note: The VPA is not retroactive, so older NDAs remain subject to the old rules – aside from the fundamental exceptions that already existed for crime reporting and whistleblowing.
Whistleblowing
Employees or workers who blow the whistle on wrongdoing have statutory protection under the ERA. Section 43J of the ERA continues to invalidate any agreement clause that attempts to prevent a worker from making a ‘protected disclosure.’ In other words, any NDA clause that tries to stop a worker from whistleblowing about issues such as criminal activity, health and safety dangers or other specified wrongdoing is unenforceable by law and has been for years. The new NDA reforms do not change whistleblowing laws – those remain intact. In practice, if wrongdoing covered by an NDA is also a workplace issue, a worker can still safely report it to the appropriate regulator or enforcement body as a whistleblower. What section 17 adds is clarity that even non-workers (or disclosures outside the ERA’s list of protected disclosures) are protected in the situations described above. Businesses should always ensure NDA wording does not conflict with whistleblowing rights. Since any conflicting clause would be void anyway, most businesses already include a whistleblowing carve-out in their confidentiality agreements as a precaution.
Higher Education sector NDAs
Separately from the VPA, there is a new rule affecting universities and colleges. Under the Higher Education (Freedom of Speech) Act 2023, from 1 August 2025, higher education providers in England and Wales cannot use NDAs when dealing with complaints of sexual harassment, abuse or any other form of bullying or harassment by students or staff. Any NDA made in those circumstances after that date is legally void. This is part of a broader effort to prevent misuse of NDAs in campus misconduct cases. While this is a distinct reform, it aligns with the overall trend of ensuring victims (in this case, in education settings) are not pressured into silence. Businesses outside the education sector are not directly affected by that law, but it underscores growing scrutiny on NDAs.
Conclusion
Businesses should revisit their NDA templates, ensure their teams understand the new limits, and update any processes where NDAs are used, especially in employment or settlement agreements. Including clear carve-outs for these permitted disclosures (such as communications to police, legal advisors or support services) will help reduce legal risk and show that your business understands the boundaries under the new rules.
NDAs are still useful tools, but they must be handled more carefully than before. If you are unsure how these changes apply to your contracts, do not hesitate to contact our expert team for guidance here. You can reach out to Neil Williamson or Colin Lambertus directly and we will be happy to assist.
