Compelled disclosure and whistleblowing (UK)

An NDA cannot override mandatory disclosure rights. It must carve out disclosure required by law, court, or regulator, and it cannot lawfully prevent a protected disclosure under the Public Interest Disclosure Act 1998. The Victims and Prisoners Act 2024 (in force from 1 October 2025) goes further: any NDA provision is unenforceable so far as it purports to stop a victim of crime (or someone who reasonably believes they are) from disclosing the relevant conduct to the police, qualified lawyers, regulated professionals and regulators, support services, or close family, for permitted purposes.

And professional-conduct rules bite on the lawyers who draft these clauses: the SRA's warning notice requires that NDAs must not prevent reporting to regulators or protected disclosures, and should not include clauses known to be unenforceable. So overreaching confidentiality wording is both ineffective and a conduct risk.

US whistleblower and anti-gag rules

US-facing NDAs carry their own mandatory carve-outs. The Defend Trade Secrets Act requires a whistleblower-immunity notice in any NDA restricting trade-secret or confidential information; omit it and the employer forfeits exemplary damages and attorney's fees in a later trade-secret claim. The SEC's Rule 21F-17 prohibits any agreement that impedes communication with the SEC - it is actively enforced (the Brink's Company was fined USD 400,000 in 2022 for confidentiality agreements lacking a whistleblower carve-out).

And the Speak Out Act 2022 makes pre-dispute NDAs and non-disparagement clauses unenforceable for sexual-harassment and sexual-assault claims. So a US-facing NDA needs express whistleblower and government-report carve-outs and must not purport to silence harassment claims - both as a matter of enforceability and of regulatory exposure.

Confidentiality and personal data

Where confidential information includes personal data, two regimes apply at once: contractual confidentiality protects commercial interests, while data-protection law protects data subjects' rights - and where they conflict, data-protection law prevails. An NDA cannot substitute for a data-processing agreement: it does not cover mandatory breach notification, data-subject-rights assistance, sub-processor management, audit rights, or deletion protocols. Both instruments are needed - the DPA for data-protection compliance and the NDA for broader commercial confidentiality.

The tension is sharpest on access requests. A data subject's right to a copy of their personal data must not adversely affect others' rights, including trade secrets, but cannot be a basis for a blanket refusal; the answer is redaction - provide the data subject's personal data while redacting confidential third-party information. NDA obligations are not a lawful basis to refuse a data-subject access request.

Data protection in flux

The data-protection backdrop is shifting. The UK's Data (Use and Access) Act 2025 is the most substantial post-Brexit divergence, recalibrating the approach to international transfers; and the European Commission renewed the UK adequacy decisions in late 2025, extending them for several years. For cross-border NDAs that move personal data, the transfer mechanism and the order of precedence between the NDA and the data-protection instruments need to be addressed expressly.

So where an NDA touches personal data, add a data-protection compliance carve-out, a DPA cross-reference, an order-of-precedence clause favouring the statutory instruments, aligned retention and deletion, and breach-notification alignment with the regulatory timetable.

The other recurring carve-out failures

A few further pitfalls recur. NDAs should carve out disclosures to professional advisers and disclosures required by regulators (financial-conduct examinations, competition dawn raids, tax-reporting obligations) - a generic confidentiality clause that ignores these creates conflicts the moment a regulator calls. And in some jurisdictions an over-broad NDA can be struck down entirely (a de facto non-compete in California), so breadth is not a free option.

The unifying point is that carve-outs protect the party relying on the NDA as much as the discloser: a clause that is unenforceable for overreach, or that exposes the business to regulatory penalty, is worse than a narrower clause that holds. Draft the carve-outs deliberately, and keep them current as the whistleblower and data-protection rules evolve.

Use at the desk

Practical checklist

  • Carve out compelled disclosure and protected disclosures - an NDA cannot override PIDA 1998.
  • Reflect the Victims and Prisoners Act 2024 (from 1 Oct 2025) - victims can disclose to police, lawyers, regulators, and support services.
  • For US deals, include the DTSA whistleblower-immunity notice and an SEC Rule 21F-17 carve-out; do not silence harassment claims (Speak Out Act 2022).
  • Where personal data is involved, use a DPA as well as the NDA and give data-protection law precedence.
  • Handle data-subject access requests by redaction, not refusal - the NDA is not a lawful basis to refuse.
  • Carve out adviser and regulator disclosures, and avoid overreach that could void the clause.

This guide is informational only and is not legal advice. It does not replace advice from licensed counsel on the facts of a specific transaction.

Product demo

Use the guide for context. Use Veqtor for the Word documents.

Watch Claude compare negotiation drafts and create a separate Word document with proposed tracked changes.

See Veqtor work with Word redlines