LawHawk Guide to Confidentiality Agreements

A confidentiality agreement (also referred to as a "non-disclosure agreement", or "NDA"), is a contract where parties agree not to disclose information covered by the agreement, typically used to protect non-public business information such as trade secrets. You can purchase the LawHawk confidentiality agreement here.

Confidential Image


In this summary we will look at a typical New Zealand confidentiality agreement, and some of the key things to consider when drafting one.

Many confidentiality agreements used in practice are far simpler than this summary would suggest. In many cases, all that is required is to fill in the party details, specify who is a Discloser and who is a Recipient, and outline the “Permitted Purpose” of the disclosure. However, even in those agreements someone has (or should have) considered the matters below and decided how they should be dealt with.

Who are the Parties?

A very early consideration should be who the parties to the agreement are. There could be only two, or there could be a number of parties. As an example, the Recipient may actually be a consortium made up of a number of bidders for a project.

While it is possible to have more than one person as a "Disclosing Party" or a "Recipient", in that case you should consider how liability will be apportioned between them.

The Discloser would no doubt prefer that the Recipient parties are “jointly and severally” liable, so that a breach by one will make all liable. This will enable the Discloser to sue all or any of the Recipient parties – whichever will be easiest.  They might just go after the entity with the deepest pockets, and then leave it for the Recipients to sort out amongst themselves how liability will ultimately be shared.

Conversely, and for that reason, each Recipient would probably prefer that its liability was several. This means that it could only be liable for its own breaches. If another Recipient party has breached the agreement, it would be up to the Discloser to sue the party in breach.

If each party is to have several liability, there are a couple of ways of doing this:

  • They could be structurally separated by entering into separate documents. This is really clear, and enables individual parties to make tweaks to reflect any particular circumstances that affect them, and not others.
  • Alternatively, you could add a clause into the agreement which will specify that the liability of each party is severWho should be the parties?

Don’t just focus on who the proposed parties are. Think about who they should be. Who will have access to the Confidential Information, what might they do with it, and do they have the financial substance to make good if they breach? Are there other people or entities that should be included?

Who will receive the Confidential Information and what could they do with it?

Think about who will receive the Confidential Information, and what they could do with it. It’s all well and good to have an agreement with a company Recipient, where it agrees to keep the information confidential and not use it to the detriment of the Discloser. But the company is made up of individual employees, and will often have other companies (and individual employees) in its group or advising it.  

If those other companies or individuals could take that information and use it to their benefit, and the detriment of the Discloser, consider if they should also be party directly to the agreement, or at least sign an undertaking (as referred to below). Otherwise the Discloser will need to enforce any confidentiality obligation via the Recipient (if it can).

How deep are their pockets?

Another thing to consider is the financial substance of the parties. Often in a commercial transaction, the entity which is to enter into the transaction will be a new company set up just for that transaction. That company may not have any significant assets of its own, and may only be properly capitalised just before the transaction completes. If it is an unsuccessful bidder in a contested deal, it may never be capitalised.

This means that if the company breaches the agreement, even though it could be sued, it would probably not be worth doing so as it would have no assets to recover against. If a party entering the agreement does not have sufficient assets to make good any breach, you should look for a guarantee from a parent company or other entity that does have sufficient assets, or ask that the parent company or other entity directly enters into the confidentiality agreement itself.

If the entity you are dealing with is named something like “JV Co 2016”, be very alert!

What type of entity is it?

You should also consider the type of party that it is. Different considerations will apply depending on whether it is an individual, a company, a limited partnership, an ordinary partnership, a trust, or some other entity. Trusts can be particularly complicated. Unlike a company, they do not have an indoor management rule, and you cannot assume that the trustees have the power to enter into obligations on a basis that will allow you access to the trust assets if you need to sue them. You have to check the trust deed to be sure of these things. Also, to properly bind the trust, all trustees must sign the agreement.

Take care with overseas parties in particular.

Depending on the type of legal entity, the way in which it needs to sign the agreement (particularly if it is a deed) will vary. You may need to get expert legal advice on this, as it could involve reviewing detailed legal documents like trust deeds, constitutions or other constitutional documents.

Get the legal name right!

Where you are entering party details, you should always ensure that you check the correct legal name. In practice, many agreements are entered into using the wrong name, which can cause problems when it comes to trying to enforce your rights.

There is really no excuse for this. With a company, you can easily check these details by searching the Companies Office website. You can do the same thing with other incorporated entities, both in New Zealand and overseas.

As well as using the registered name to describe the party, it is also very useful to include the registered number. While a company or other incorporated entity can change its name many times, the registration number will never change. Increasingly in the future, using the New Zealand business number will also be a good option for this purpose.

It is also good practice to specify the address of the party for further ease of identification. For an incorporated entity, use the registered address.

Who is disclosing the Confidential Information?

One of the first things you will need to consider is who is disclosing Confidential Information, and should the confidentiality agreement be “one way” or “mutual”.

You should select "mutual" if each party may be disclosing Confidential Information to the other(s). In this case, all parties will (except where you specify otherwise) have the same rights and obligations.

If only one party will be disclosing Confidential Information, go with a one-way document. In that case, nearly all the obligations are imposed on the "Recipient". It will be necessary to specify each party that is a "Disclosing Party" and each that is a "Recipient".

You may want to select a mutual confidentiality agreement, even if most of the information is flowing one way, if the possible involvement of the Recipient is required to be kept confidential, or if the commercial terms of the arrangement are themselves confidential. If the Disclosing Party is not prepared to enter into a mutual confidentiality agreement to protect against that, you may need to insert a separate (more limited) confidentiality obligation on the Disclosing Party covering the required matters.

What is “Confidential Information”?

Once you have identified who the parties are, and what roles they will hold, you need to define the scope of the Confidential Information. In doing this, you should consider the following matters.

What is generally “in” as Confidential Information?

Most confidentiality agreements contain a general definition of “Confidential Information”, which is then added to, or subtracted from, in some specific ways.

Does the “Confidential Information” need to be connected with the “Permitted Purpose”?

Usually the Confidential Information disclosed can only be used by the Recipient in connection with a “Permitted Purpose”. Related to that, usually the Confidential Information will only include information which has been disclosed by the Discloser in connection with the Permitted Purpose. This means that if the parties have other relationships (e.g. they do business with each other in the ordinary course of business) those relationships will not be disturbed by the Confidentiality Agreement.

Some Disclosers will want to describe "Confidential Information" as including ALL information they disclose (past, present or future) whether or not it relates to the particular purpose currently in discussion. This may make sense in some cases, such as where there is no other relationship between the Discloser and the Recipient. However, otherwise it is arguably too broad, as it could capture day-to-day information swapped in the ordinary course of business. This may not have any element of confidentiality (and could potentially undermine the protection of the agreement for information that really is confidential), and makes practical compliance more difficult.

In most cases, it should be appropriate to link the Confidential Information to the Permitted Purpose, and not the broader option.

Should information disclosed before signing the confidentiality agreement be protected?

Sometimes, in practice, in the heat of a transaction some information may have already been disclosed before the Confidentiality Agreement has been signed. The Discloser will want to ensure that such information is also protected, and a Recipient should not object to that.

However, where there is a broader description of what is considered "Confidential Information" (i.e. not just limited to the Permitted Purpose), and information has been exchanged in the past without a confidentiality agreement, the Recipient may be more resistant to accepting a new obligation to now keep that information confidential where previously they may have been free to do what they wished with it. They could argue that they should only be bound in respect of any new information from the date of the agreement.

Is there any information to be included as Confidential Information “for the avoidance of doubt”?

In some cases, a Discloser may want to be absolutely clear that certain categories or items of information are clearly agreed as falling within "Confidential Information". Examples you might want to include could be contracts, financial details, customer lists, employee details, specifications, drawings, designs, software etc. You can list these out in as much detail as makes sense.

You might even further split this down so that certain inclusions apply only to a particular party and not all of them.

What should be carved out of “Confidential Information”?

Having established an initial definition of what is in "Confidential Information", it is usual to then carve-out certain information from the definition. The 3 most common carve-outs are:

  • Information which is or becomes publicly available (clearly it cannot still be confidential in that case);
  • Information which has been obtained from another source that did not owe a confidentiality obligation to the Discloser in respect of the information; and
  • Information which has been independently developed.

Already obtained information

For the "already obtained" carve-out, there are additional options under which:

  • the Recipient may be required to demonstrate (by written evidence and/or to the reasonable satisfaction of the Discloser) that it falls within the exception; or
  • you can specify whether the Recipient must have received the information prior to the date of the agreement, or prior to the date it was disclosed by the Recipient.

While there will always be some degree of onus on the Recipient to prove it falls within the exception, you can more specifically place the onus on the Recipient if you wish, which allows you to go further and set out how they must demonstrate this (e.g. by written evidence and/or to the satisfaction of the Discloser).

To some extent (e.g. proving that the source did not owe a duty of confidence to the Discloser) this will be difficult for the Recipient to prove themselves. Because of this, on balance it is probably preferable to leave this to be determined as a question of fact in the event of a dispute.

Timing of prior disclosure

The Discloser may prefer that, for information to fall within this exception (information which has been obtained from another source that did not owe a confidentiality obligation to the Discloser in respect of the information), it must have been obtained prior to the date of the agreement. That probably provides a cleaner cut-off for ensuring information is not leaked in a more indirect way.

A Recipient may argue, however, that the date of the confidentiality agreement is not the right focus - what matters is whether it received the information before it was disclosed by the Discloser to the Recipient.

This could really go either way, depending on the nature of the information and the parties involved.

Independently developed information carve-out

It is common to include an exception to the definition of "Confidential Information” for any information that the Recipient independently developed.

While there will always be some degree of onus on the Recipient to prove it falls within the exception, you can more specifically place the onus on the Recipient if you wish, which allows you to go further and set out how they must demonstrate this (e.g. by written evidence and/or to the satisfaction of the Discloser).

There may be concerns regarding this limb, in that it could be easy for a Recipient to effectively reconstruct Confidential Information (having had the opportunity to review and understand it) and then claim that it was independently generated. In reality, this will be difficult to protect against by drafting. If this is a significant concern, Disclosing Parties should take care with what they disclose, when and how. See the final recommendation.

The Permitted Purpose – what can the Confidential Information be used for?

Now that you have clarified the scope of the Confidential Information, describing the “Permitted Purpose” is one of the most essential aspects. It is here that you make clear what can, and cannot, be done with the Confidential Information.

From the perspective of the Discloser, you will want to make the Permitted Purpose description as specific as possible, so you know exactly what they can use the information for without needing further consent.

From the perspective of the Recipient, you will want to avoid it being too specific - so that you can avoid having to go back for further consent for slightly different purposes.

A general no competition or detriment obligation

It is also possible to include an additional restriction on the use of Confidential Information in any way which is detrimental to, or in competition with, the Discloser.

Arguably, requiring that the Recipient can only use the Confidential Information in connection with the Permitted Purpose gives the Discloser sufficient comfort. However, you can go further and (really, for the avoidance of doubt), specify that the Confidential Information must not be used in any way which is detrimental to, or in competition with the Discloser (with a clarification that using the Confidential Information for the Permitted Purpose is not a breach).

Often these types of provisions are more for the purposes of emphasising the importance of the confidentiality than because they materially add to the existing levels of obligation.

Disclosure to “Representatives”

A Recipient is unlikely to be able to review and use the Confidential Information entirely by itself. It will usually require the help of additional "Representatives". Those Representatives also need to be permitted to review and use the Confidential Information.

Who are the Representatives?

Here is where you need to describe as clearly as possible who the Recipient may want to disclose information to. The Recipient will want to ensure it is wide enough to avoid the need for further, separate, consent, while the Discloser will want to ensure that it is limited to only people it is comfortable with who really need to know the information.

As a start point, consider something like “in relation to a person means any director, employee, manager, general partner, advisor, financier or prospective financier (and their professional advisors), investor or prospective investor (and their professional advisors), client or prospective client (and their professional advisors) of that person";

You might then want to add other specific categories of Representatives, or even name particular individuals who are permitted for the avoidance of doubt, even if they are (arguably) included within earlier categories.

Should Related Companies be automatically included as Representatives?

Sometimes where a party is part of a group, the transaction may effectively require the sharing of information within the group, and the Recipient may want to include related companies as a category of permitted Representative.

However, in other cases, there may be no group (so the concept is not relevant), or it may be inappropriate for such sharing to occur and only the specific company should receive and use the information.

You need to consider this in the relevant context. Perhaps rather than being covered as unnamed Representatives, the related companies should become direct parties or sign some sort of direct undertaking.

Do Representatives need to be specifically identified and/or sign any form of direct undertaking?

An issue that nearly always comes up is whether Representatives need to be specifically identified to the Discloser and if they need to sign any form of direct confidentiality obligation.

There are numerous approaches to the further disclosure of information, some common ones of which are set out below. Options include:

  • The Recipient can disclose to Representatives – no need to list Representatives – no further undertakings from Representatives
  • The Recipient can disclose to Representatives – no need to list Representatives – third-party Representatives must sign undertaking if required
  • The Recipient can disclose to Representatives – no need to list Representatives – all Representatives must sign undertaking if required
  • The Recipient can disclose to listed representatives who must all sign undertaking if required

Some Disclosers may be happy that as long as the party they contract with agrees to be bound by the confidentiality obligations, and to ensure that their Representatives also comply, they do not need to require each Representative to be separately identified and/or required to sign up to their own confidentiality undertaking. This may make sense where the information is not that material, and where the Recipient is a substantial party that can be relied on to ensure compliance or be liable if it doesn't. Be careful if the Recipient is (for example) a special purpose subsidiary which may not have significant assets or if there is a risk that the Representatives might not comply and recourse against the Recipient would not be sufficient practical protection.

Some Disclosers (particularly where the information really is confidential and sensitive) can reasonably insist that they want to know exactly who will be receiving the information, and for those Recipients (or some of them, as required by the Discloser) to also agree to be bound. While this may be administratively burdensome at the outset, it is likely to give more practical protection because those Representatives are likely to think more carefully about what they do with the information, and they can be pursued directly by the Discloser. This can be an advantage if the Representative ceases to be employed by (and under any control of) the Recipient, or if the Recipient cannot be relied on to control the Representative.

Should employees be treated differently than third party Representatives?

You may wish to take a different approach for Representatives that are third parties (e.g. advisers) to a Recipient to the approach you take to employees of the Recipient. You might not make employees sign an undertaking, but might require advisors to.

If you do want to require each additional Representative to sign up to an undertaking, you have options to specify the form of that undertaking now, or leave it for later agreement. This depends to some extent on how contentious you think that discussion might be. Some Representatives, such as banks, will have their own policies regarding what they will or will not do, and sign up to.

Security of information

General Security Obligations

It is common to start by describing some general levels of security that the Recipient must provide, which can be supplemented with specific obligations if required.

Options include an absolute obligation to keep the information secure and confidential, or lesser levels of best endeavours, all reasonable endeavours, or reasonable endeavours.

The Recipient could take on an absolute obligation to keep the Confidential Information secure. In that case, it will be responsible to the Discloser even if there are disclosures beyond its reasonable control. The Recipient may argue that this goes beyond what is reasonable - nothing can ever be totally secure - even the Discloser currently cannot guarantee that about its own information.

Alternatively, the Recipient can agree to use a lower (but still relatively high standard) of care, such as best endeavours or reasonable endeavours. As long as they satisfy these requirements, they will not be liable if there is an unauthorised disclosure.

This will depend to a large extent on the nature and volume of the Confidential Information. If you’re only disclosing a small amount of information, which is highly sensitive, you might more reasonably say you expect the Recipient to absolutely keep that information secure.

Specific Minimum Security Standards

In addition to obliging the Recipient to keep the Confidential Information secure, the Discloser can seek additional legal and practical comfort by specifying additional steps that the Recipient must take to keep the information secure.

This could be an obligation to use at least the same degree of care to avoid disclosure as it uses to protect its own Confidential Information and/or other measures that can be set out. For example, you may wish to include an obligation to comply with the Payment Card Industry Data Security Standard, if that is applicable to your industry.

Obligations to track Confidential Information

As an additional security measure, a Discloser may wish to require that the Recipient must keep a written record of the Confidential Information provided to it and its Representatives and [as an option - so far as is reasonably practicable] of the location of that Confidential Information and any persons holding it.

While it should certainly focus the mind, such an obligation is likely to be regarded as onerous and difficult to comply with by a Recipient. With electronic communication, it is even more difficult (if not impossible) to comply with for a wide variety of general information.

However, in a highly sensitive situation involving a small set of identifiable Confidential Information (perhaps a particular document, in hard copy), it may be appropriate (perhaps with some amendment to tailor the obligation to the particular information).

What should happen where disclosure is required by law, listing rules, or to defend legal proceedings or investigation?

One of the main areas of discussion in a Confidentiality Agreement is what will happen if a Recipient is required to disclose the Confidential Information? To what extent can the Discloser impose its own preferences in that situation?

There are numerous options which can be used to achieve an appropriate balance between the parties.

Even where disclosure is required by law, it is usual for the Recipient to have obligations placed on it, such as to notify the Discloser of the requirement, to take steps to resist or limit disclosure, and to only disclose the minimum required. These are not usually controversial, but a Recipient may still prefer not to have such obligations and restrictions and you should consider whether these should be resisted.

Absolute or best endeavours

In situations where a disclosure is required under listing rules or law, it may not be possible for the Recipient to comply with all of the requirements in the Confidentiality Agreement due to the overriding legal requirement. It may be appropriate therefore to reduce the obligation to one of "best endeavours". This is still a strong obligation, but would give protection to a Recipient if strict compliance was not possible. This will depend on the nature of the parties and the information.

Recipient Discretion

Disclosure is usually permitted if required by law, listing rules or to defend any legal proceedings or investigation relating to the Permitted Purpose. Should the Recipient have a reasonable discretion to determine if these criteria are met? This reduces the risk of the Recipient believing it had to disclose, when it later turns out it didn't (and being in breach as a result).

Alternatively, the Disclosing Party may wish to make this absolute, so the onus is on the Recipient to ensure it gets this right.

This will depend on the nature of the parties and the information.

Right of Recipient to refuse if material adverse effect

Some of the steps that the Disclosing Party may wish to require the Recipient to take in order to prevent or restrict disclosure might be detrimental to the Recipient (e.g. it may affect relationships with key employees, customers, suppliers or regulators).

Should the Recipient be able to refuse to take steps if they will materially adversely affect the Recipient (even if the Discloser needs those steps to be taken to protect its position)? Again this is a balance that is best considered in the specific context.

Do the parties need to agree or just consult on these matters?

Should the Recipient need to agree, or just consult, with the Discloser in respect of the timing, content and manner of any disclosure?

The Discloser will want to ensure there is agreement so they are happy with the approach. It’s their information after all. However, this leaves a risk for the Recipient if agreement cannot be reached but it still needs to disclose.

The Recipient will prefer consultation, so that while it needs to take the Discloser's views into account, it can ultimately form its own opinion and do what it needs to do.

Legal Advice

One safeguard against unnecessary disclosure and which can help address possible arguments about the options above is to require the Recipient to obtain a legal opinion confirming that disclosure is in fact necessary. If a legal opinion is required, you can specify additional requirements around an acceptable lawyer.

While it should be the case that it doesn't matter who the lawyer is that confirms disclosure is necessary, in practice it is not always so straight forward. In many cases, the law will not be "black and white", and it is possible to see how an opinion could be given one way or the other.

Even if there is no actual bias by a solicitor towards their client, the possibility or perception of bias can itself be enough to justify seeking an independent legal opinion and remove scope for argument.

Return or destruction

Once the “Permitted Purpose” is complete, the Confidential Information should usually be either returned or destroyed.

When should the Confidential Information be returned or destroyed?

While it seems logical that the information should be returned or destroyed as soon as it is no longer required, in practice this is not always a clearly identifiable point. Where there are multiple decision makers in an organisation (or a consortium), it can take time for a final decision to be made, and parties may go hot and cold on possible transactions as they do due diligence and consider alternative transactions.

Recipients may therefore prefer that the return or destroy obligation only kicked in on request from the Discloser. This still leaves the Discloser in control of whether to make the request or not, so should be acceptable to them. It does require the Discloser to follow up on this aspect though - which is often not the case. Remember to do this!

Can some Confidential Information still be retained by the Recipient?

A common carve-out requested by Recipients is that they can retain information:

  • backed up in electronic facilities that are not accessible in the ordinary course of daily operations
  • contained in papers or minutes for any board, board committee or investment committee
  • for legal or professional indemnity insurance purposes
  • where required to comply with things like internal policies on corporate governance, risk or audit.

The first three limbs are pretty uncontroversial. For the fourth limb, because the scope of the policies lies with the Recipient, the Discloser may want to enquire as to what those policies say. However, there is still some level of protection in that the information will be required to be kept confidential.

A Certificate of Compliance can focus the mind

As an additional protection, and to focus the mind of senior people at the Recipient, it is good practice for a Discloser to (at least have the option to) require that the Recipient provides a certificate by a director or senior officer of the Recipient confirming compliance with its return/destroy obligations and having used all reasonable endeavours to ensure that the Recipient's Representatives have also done so. In the absence of such a requirement, in practice, Recipients may move onto other opportunities without completing compliance with this agreement.

If the Discloser wishes, it could also require that such a certificate must identify in reasonable detail any Confidential Information the Recipient has retained to comply with internal policies.

Should you use an Agreement or Deed?

You need to decide whether the confidentiality agreement should be an agreement or a deed. To decide this, consider:

  • Is there clear (and current) consideration from each party? If not, you may need a deed (which does not require consideration). Usually this will not be an issue, as there will be clear consideration provided to the Recipient by the Discloser sharing Confidential Information with them. However, do think about whether the information has already been provided. If so, it may be "past consideration" which might not be sufficient. In that case, for certainty, you may want a deed.
  • Deeds require more formal execution (e.g. a company may require 2 directors), which can raise practical issues for some entities (particularly when timing is tight).

In general, it is preferable to have important documents executed as deeds unless that is not possible. This is the approach that banks usually take to the execution of loan and security documents for instance. However, in many transactions, where speed is important and consideration is not an issue, an agreement will be fine.

Term of Obligations

For certainty, some Recipients will ask that their obligations have an expiry date, so that they do not continue to have to comply with confidentiality obligations for an unlimited period of time when, arguably, the information after a specified period will have ceased to be material.

However, Disclosers should take care with this, because depending on the nature of the information, it may still be highly confidential at the end of the specified period and they would not want another party (perhaps a competitor) to be contractually entitled to use it. The Discloser could argue that the Recipient needs to manage this risk (and if it is concerned that managing and keeping information secure could be too difficult, it could return or destroy all information to avoid any risk of inadvertent use).

Generally it is hard to see why a term is needed. If you do agree to a term for the confidentiality obligations, consider whether there is any "Key Confidential Information" that should be required to remain subject to confidentiality obligations, even after the general expiry date? E.g. this might include some valuable contracts, or employee information.

This will depend on the nature of the information, the parties, and their respective priorities and bargaining strength.

Should you include an indemnity for breach?

Consider carefully whether to include an indemnity for breach. While it seems attractive on the face of it, in practice the Discloser already has an ability to claim damages for breach.

The indemnity may not give much, if any, practical additional benefit, but may result in significant negotiations and cost. Few people really understand what they are getting/giving (or not getting/giving) from an indemnity and will either request it, or resist it, as a matter of course. One possible benefit could be to extend the range of losses which are recoverable (to include indirect, as well as direct). However, in practice as indemnities are usually negotiated and limited, this possible benefit is expressly removed (to the point where the end outcome may be worse than would apply in an ordinary damages claim).

Some parties may have practical difficulty giving indemnities. This may be for legal reasons (e.g. the Government can only give indemnities in certain circumstances) or practical (the organisation's internal policies restrict giving indemnities and it will be difficult to get approval in time).

How will you serve notices on each other?

You should consider how notices under the agreement will be served on each party.

While it is useful to enter a registered address for the purposes of identifying the parties, that may not be the best address to use for serving notices. This is particularly so when a party is incorporated or resident overseas. In that case, you may wish to ensure that the overseas party appoints a New Zealand process agent who notices can be served on.

You should also consider whether notices can be served by email or by fax.

Nobody uses faxes anymore for day to day correspondence, but they can have some advantages in terms of certainty of when it has been successfully delivered.

Increasingly people are becoming more comfortable with serving formal notices by email, but it does remain a relatively unreliable delivery means as many emails still are blocked as spam, or if Recipients are away, there is no formal system for ensuring that the email comes to the attention of somebody else. It is still good practice then to ensure that emails are only regarded as having been received if the Recipient actually confirms receipt. Usually this won’t be an issue in practice, as they will reply in some way or other. If that does not occur, then there are other options such as fax or personal delivery which could be used instead.

Restrictions on Assignment

The Discloser will usually want to know that it is only dealing with the Recipient, and not any possible assignee of the Recipient. It is also useful to confirm that the Recipient is not acting as agent on behalf of anyone else.

However, sometimes the Discloser will want or need the ability to assign. For example, if it is selling its subsidiary/business, and disclosing valuable information relating to that subsidiary/business, it may want or need to assign the benefit of the confidentiality obligations to the new owner.

After the sale goes through, the Disclosing Party no longer has any substantive interest in the confidentiality. It is the subsidiary/business and its new owner that are most concerned about protecting the Confidential Information. Ideally, the agreement should be assignable to either the subsidiary and/or the successful purchaser.

You can address this by either only restricting assignment for the Recipient, or (if all parties are restricted) allowing a specific carve-out to the Disclosing Party.

Another way of addressing this option is through using the Contracts (Privity) Act 1982 and making the agreement for the benefit of the appropriate person(s).

Change of Control

As well as placing restrictions on the parties’ ability to assign their rights under the document without consent, you can also deem a change of control to be an assignment or novation.

Whether this should be required or not will depend on the nature of the party. If it is a small company, where it matters who the shareholders are, then you would want to restrict changes in control. If it is a significant listed company, then arguably it would matter less if it was taken over. However, it will very much depend again on how sensitive the information is, and the potential for sensitive information to end up in the hands of someone unacceptable to the Discloser.

Other possible options or provisions that may be relevant

There are many other concepts which may be relevant in some situations. However, these are not that common, and may not be applicable in many situations at all.


In some (particularly) competitive situations, bidders may actually form a consortium to bid. In that case, you may want to include provisions such as:

  • a definition of the consortium
  • ability for consortium members to disclose Confidential Information to each other
  • restrictions on the ability to form or make changes to consortia without some form of approval

If the provision relates to an existing consortium, you can set out details of which party is a member of the consortium.

If there is currently no consortium, the obligation would be on the party not to enter into a consortium without consent of the Discloser.


Transactions can be very expensive! Before committing extensive resources to a possible transaction, parties are likely to want to know whether they are the only party in the process, or if they are only one of a number of possible bidders.

If the intention is that negotiations will be exclusive, you should note that it is not possible to "lock in" a party to negotiations. The Courts will not enforce that type of obligation. However, it is possible for a party to agree that it will not negotiate with anyone else for a set period.


In a competitive process, the party running the process may want to ensure that bidders do not unnecessarily disrupt the process or underlying business by directly approaching key people like customers, employees, landlords etc. You may therefore want to prohibit those type of inquiries.

In any transaction (competitive or otherwise) it may also be useful to appoint a particular person as a designated central point for communications, so that all communications must be directed through that person. This may not be an employee of a party – it could, for example, be a person from an investment bank that is running the transaction process.

One simple way to limit contact is to specify that no contact may be made with anyone in relation to the Project (and therefore, by definition, non-Project related contact is not restricted). Alternatively, if the organisations already have a relationship, you can make clear that contact in the ordinary course of business is still permitted. Either is fine, depending on the context


In a competitive process, you may wish to set out more express provisions aimed at preventing collusion between possible bidders, and specifying the consequences that will result if collusion is identified.

Legal Privilege

Some information which Recipients may be particularly interested in may be subject to legal privilege – for example, are they being sued and what is the likelihood of being found liable. Unfortunately, the disclosure of that information could result in privilege being lost. There are various reasons why disclosure might be made with privilege being retained (e.g. common interest privilege). Whether that is possible will depend very much on the circumstances, and you should obtain specific legal advice on that point.

Insider Trading

If one of the parties is subject to inside trading laws (e.g. the Financial Markets Conduct Act 2013) that raises additional issues regarding the disclosure of potentially price sensitive information. You may wish to impose specific "standstill" restrictions on the ability of a Recipient to use information to trade, but some Recipients (e.g. investment banks) which operate using information barriers may have additional issues with complying with blanket restrictions.

A Discloser may want to make it clear that the Recipient will not use Confidential Information to acquire securities in the Discloser (a “standstill”). This is a blanket prohibition - not just trading using Confidential Information. In this case, you should specify a term for the standstill period, as it is probably unrealistic to request that a party cannot trade in securities it could otherwise trade in, indefinitely.

You may be asked to include an exemption to the standstill for financial institutions. The reason for including such an exemption is that some larger financial institutions operate numerous business units, which are separated by information barriers. While one business unit may be looking at entering into a possible transaction (e.g. a takeover) for itself or a client, it is possible that another unit could be buying and selling securities as part of its other businesses, such as brokerage, asset management, or investment banking. The other unit should not be aware of the possible takeover or the standstill arrangement.


While the Confidentiality Agreement already contains restrictions on the use of the Confidential Information to the "Permitted Purpose" (and may go further and require the Recipient not to use it for competition or detriment to the Disclosing Party), you may also want to set out a more detailed non-compete provision.

If so, it is important to ensure that any restriction is no broader than it needs to be, or it could be unenforceable.

Options include, no competition at all, ordinary course competition as long as there is no use of Confidential Information, and any competition as long as there is no use of Confidential Information.

You also need to include a period for the restriction, and perhaps limit it to a particularly geographic area. In general terms, between 2 and 3 years is quite common and should be considered enforceable. However, you should take specific advice (this article is not advice!).


While the Confidentiality Agreement already contains restrictions on the use of the Confidential Information to the "Permitted Purpose" (and may go further and require the Recipient not to use it for competition or detriment to the Disclosing Party), you may also want to set out a more detailed non-solicitation provisions about the Disclosing Party's employees.

To have the greatest chance of enforceability, don't ask for more than is realistically required. Consider, for example, if it is all employees, or just management, that are most important to protect.

Independent Trustees

If one or more of the parties are trustees of trusts, you may want to limit the liability of an "independent trustee" to the assets of the trust, subject to particular exceptions.

Limited liability should not be included as an automatic consequence of having a trustee as a party. If none of the trustees are independent, for example, usually you would expect all the trustees’ liability to remain personal and unlimited.

There may also be situations where, even if the trustee is independent, it is not appropriate for their liability to be limited. For example, if the obligation was one which was entirely within the trustee's control (e.g. to maintain confidentiality of some specific information), it is not clear why liability should be limited in that situation. The independent trustee should just not disclose it!

Don’t disclose anything that is really important until you have to

After all of the above, you should have a really tight confidentiality agreement, right?

Technically yes, but in practice you should be aware that many people will sign these documents without much thought or care because it’s the price of getting access to the information and they know that they are very difficult to enforce in practice. Once they have it, you no longer have control of your information and they may well use it without you knowing or being able to do anything about it.

The best practical steps you can take are to think very carefully about what you disclose, and when. If something is particularly sensitive, consider holding it back until a “black box” stage of the transaction, where you can disclose it on more protective terms. For instance, once you have your preferred bidder you could disclose it only to a few key people in a more controlled way. Maybe they can read the material in a data room, but cannot take copies. Or an independent third party could review the material and report to them on whether there are any issues.

Hopefully this has been valuable to expand on the range of things you might want to consider when drafting a Confidentiality Agreement and ensuring it really is fit for a particular purpose. It may also assist with reviewing Confidentiality Agreements prepared by others.

If you want a really easy and fast way to navigate through the considerations above, try the LawHawk Confidentiality Agreement. This summary reflects the questions in the interview for that document.

This summary is subject to LawHawk’s Terms and Conditions.