EN-GB>Employment>Employment Non-Disclosure Agreement>United Kingdom NDA Confidential Info Categories
Categories Of Confidential Information In United Kingdom Employment NDAs
Created:
This article helps readers understand the main types of confidential information commonly protected in employment NDAs. It is useful for employers, HR teams and workers reviewing workplace confidentiality terms, and complements the AI Generated British Confidentiality Agreement category page.
Information Category | Employment Examples | Suggested Protection Level | Common Exclusions | Definition Notes |
|---|---|---|---|---|
Commercial, Technical, Strategic | ||||
Trade secrets and secret know-how | Secret formulas, algorithms, methods, processes, business models and proprietary know-how. | Restricted Access | Public domain, independently developed, lawfully obtained, reverse engineered where lawful, or required by law. | State that reasonable steps are taken to keep the information secret. |
Commercial | ||||
Customer and client lists | Names, contacts, account histories, buying patterns, renewal dates and key decision-makers. | Enhanced Confidentiality | Publicly available contacts, employee's general skill and knowledge, or lawfully received data. | Distinguish confidential compiled lists from public or LinkedIn information. |
Commercial, Strategic | ||||
Sales prospects and lead pipelines | Lead scores, sales funnels, target accounts, conversion notes and opportunity values. | Enhanced Confidentiality | Publicly known prospects, independently generated leads, or information disclosed with consent. | Define whether CRM exports, reports and informal notes are covered. |
Commercial, Financial | ||||
Pricing, discount and margin information | Rate cards, negotiated discounts, minimum margins, rebate terms and price modelling. | Restricted Access | Published prices, customer-disclosed terms, independently calculated market comparisons, or legal disclosure. | Separate public list prices from confidential pricing methodology and discount authority. |
Commercial, Financial, Operational | ||||
Supplier terms and procurement data | Supplier pricing, volume rebates, framework terms, tender responses and vendor performance scores. | Enhanced Confidentiality | Published framework terms, information approved for supplier disclosure, or required procurement disclosure. | Include information received under third-party confidentiality obligations. |
Strategic, Financial, Commercial | ||||
Business plans and forecasts | Growth plans, revenue forecasts, board packs, market entry plans and resourcing assumptions. | Restricted Access | Public investor materials, historic non-sensitive information, or independently developed analysis. | Specify whether drafts, scenarios and board presentations are included. |
Commercial, Strategic | ||||
Marketing strategy and campaign plans | Launch calendars, segmentation plans, campaign budgets, creative briefs and performance data. | Standard Confidentiality | Published campaigns, public brand guidelines, or agency materials approved for external use. | Protect pre-launch plans more strongly than public-facing materials. |
Technical, Commercial, Strategic | ||||
Product roadmaps and release plans | Feature roadmaps, release dates, beta plans, backlog priorities and go-to-market timing. | Restricted Access | Announced releases, public demos, independently developed ideas, or authorised partner briefings. | Include prototypes, internal tickets and product management documentation. |
Technical, Strategic | ||||
Research and development materials | Experiment results, prototypes, lab notes, technical drawings, test data and feasibility studies. | Restricted Access | Published research, open-source materials, independently created work, or lawfully disclosed results. | Clarify ownership and confidentiality of inventions created during employment. |
Technical | ||||
Source code and software architecture | Repositories, branches, architecture diagrams, build scripts, deployment files and code comments. | Restricted Access | Open-source code, public APIs, independently written code, or licensed third-party components. | Identify repository access, copying restrictions and return or deletion obligations. |
Technical, Strategic | ||||
Algorithms, models and analytics methods | Ranking models, scoring logic, training methods, optimisation rules and model parameters. | Restricted Access | Published methods, academic knowledge, independently developed models, or lawful open-source tools. | Define model artefacts, prompts, weights, parameters and evaluation datasets where relevant. |
Technical, Commercial, Personal Data | ||||
AI training data and prompt libraries | Prompt templates, fine-tuning sets, labelled examples, evaluation data and model output reviews. | Special Handling Required | Public datasets, open prompts, anonymised materials, or independently created training data. | Address personal data, IP rights, bias testing data and third-party licence limits. |
Technical | ||||
Technical designs and specifications | CAD files, schematics, engineering drawings, API specifications and system diagrams. | Restricted Access | Published standards, customer-approved manuals, independently produced designs, or public patents. | Include draft, obsolete and marked-up versions if still commercially sensitive. |
Technical, Operational | ||||
Cybersecurity controls and vulnerabilities | Pen-test reports, vulnerability lists, firewall rules, incident reports and security architecture. | Special Handling Required | Public advisories, vendor bulletins, general security knowledge, or mandated regulator reports. | Restrict access and allow lawful reporting of security issues or protected disclosures. |
Passwords, credentials and access keys | Passwords, API keys, tokens, certificates, SSH keys and privileged account details. | Special Handling Required | None for live credentials except legally compelled disclosure to authorised persons. | Require immediate reporting, rotation and secure storage avoid sharing by email or chat. |
Financial | ||||
Management accounts and internal financials | P&L reports, cash-flow forecasts, balance sheets, budget variance reports and KPIs. | Restricted Access | Filed accounts, public investor reports, legally required disclosures, or audited published figures. | Distinguish public statutory accounts from internal management information. |
Financial, Personal Data, Operational | ||||
Payroll, pay bands and compensation data | Salary records, bonuses, commission plans, pensions, benefits, deductions and pay review data. | Special Handling Required | Employee's own pay disclosure, legally required reporting, or anonymised aggregate pay data. | Do not restrict lawful discussions aimed at equal pay or discrimination rights. |
Personal Data, Operational | ||||
Employee personal data | Home addresses, dates of birth, contact details, HR records, absence records and appraisals. | Special Handling Required | Data subject rights, lawful HR processing, legal obligations, or authorised regulatory disclosure. | Align confidentiality wording with UK GDPR and the Data Protection Act 2018. |
Personal Data | ||||
Special category personal data | Health, disability, ethnicity, biometric, union membership, religion and sexual orientation data. | Special Handling Required | Legal claims, employment law obligations, explicit consent, or statutory disclosure requirements. | Use strict access controls and separate privacy notices from NDA confidentiality wording. |
Personal Data, Operational | ||||
Criminal offence and DBS information | DBS checks, criminal record declarations, vetting notes and safeguarding assessments. | Special Handling Required | Statutory safeguarding disclosure, legal claims, regulator reporting, or authorised DBS processing. | Reference lawful basis and limit access to staff with a clear need to know. |
Personal Data, Commercial | ||||
Customer personal data | Customer names, addresses, order histories, support tickets, recordings and account identifiers. | Special Handling Required | Data subject rights, processor instructions, legal disclosure, consented sharing, or anonymised data. | Ensure NDA duties support, not replace, data protection policies and contracts. |
Personal Data, Operational | ||||
Recruitment and applicant information | CVs, interview notes, references, assessment scores, salary expectations and offer terms. | Special Handling Required | Candidate access rights, lawful reference requests, legal claims, or statutory disclosure duties. | Cover hiring managers, recruiters and panel members who access applicant records. |
HR investigations, grievances and disciplinaries | Witness statements, complaint records, investigation reports, outcomes and appeal materials. | Special Handling Required | Legal claims, protected disclosures, regulator reports, employee representation, or required evidence disclosure. | Avoid clauses that gag whistleblowing or prevent participation in legal proceedings. |
Operational, Strategic | ||||
Legal advice and privileged communications | Solicitor advice, litigation strategy, settlement discussions and draft legal correspondence. | Restricted Access | Court orders, statutory reporting, regulatory cooperation, independent legal advice, or permitted disclosures. | Do not imply employees cannot report wrongdoing or take independent legal advice. |
Operational, Personal Data, Strategic | ||||
Whistleblowing and protected disclosure material | Reports of wrongdoing, safety concerns, fraud allegations, compliance breaches and regulator evidence. | Special Handling Required | Protected disclosures, prescribed person reports, legal advice, law enforcement, or court-required disclosure. | State expressly that the NDA does not prevent protected disclosures. |
Strategic, Financial, Operational | ||||
Board papers and senior management reports | Board minutes, executive dashboards, risk registers, strategy papers and committee packs. | Restricted Access | Published minutes, Companies House filings, legally compelled disclosure, or shareholder communications. | Define access for executives, assistants and employees preparing board materials. |
Strategic, Financial, Commercial | ||||
Mergers, acquisitions and investment plans | Due diligence files, target lists, valuation models, investor decks and deal timetables. | Restricted Access | Public announcements, regulatory filings, lawfully received market rumours, or mandated disclosure. | Consider insider information controls for listed or market-sensitive transactions. |
Commercial, Financial, Strategic | ||||
Bids, tenders and proposal strategy | Bid pricing, win themes, competitor analysis, tender drafts and clarification responses. | Restricted Access | Published contract awards, public procurement notices, debrief information, or required transparency disclosure. | Cover pre-award and post-award documents, including subcontractor inputs. |
Contract terms and negotiation positions | Redlines, fallback clauses, settlement ranges, liability caps and approval limits. | Enhanced Confidentiality | Executed terms made public, legally required disclosure, or terms disclosed by the counterparty. | Protect negotiation strategy separately from final contracts accessible in the business. |
Technical, Strategic | ||||
Invention records and unpublished IP filings | Invention disclosures, patent drafts, design files, filing strategy and examiner correspondence. | Restricted Access | Published patent applications, granted patents, public designs, or independently developed inventions. | Keep inventions confidential before filing to avoid loss of novelty. |
Technical, Operational | ||||
Manufacturing processes and production methods | Process parameters, recipes, tooling settings, quality tolerances and production workflows. | Restricted Access | Published standards, visible process steps, lawful reverse engineering, or supplier public materials. | Define whether shop-floor observations, manuals and training notes are covered. |
Quality assurance and testing data | Test protocols, defect logs, acceptance criteria, batch results and failure analysis reports. | Enhanced Confidentiality | Published certification results, regulator-required disclosure, customer-approved reports, or public recalls. | Flag safety-critical findings that may need lawful external reporting. |
Operational | ||||
Operating procedures and internal manuals | SOPs, playbooks, escalation paths, service scripts, onboarding guides and internal checklists. | Standard Confidentiality | Public manuals, customer-facing guides, common industry practice, or independently written procedures. | Identify any manuals containing trade secrets or security details for higher protection. |
Operational, Commercial | ||||
Logistics and supply chain information | Routes, stock levels, warehouse layouts, carrier rates, lead times and contingency plans. | Enhanced Confidentiality | Public delivery information, supplier-disclosed facts, published service levels, or legal disclosure. | Treat security-sensitive site and route information as restricted access. |
Operational, Technical | ||||
Site security and premises information | Alarm codes, access schedules, CCTV locations, floor plans and visitor procedures. | Special Handling Required | Public building plans, lawful emergency disclosure, police requests, or authorised contractor access. | Live codes and access plans should be separately controlled and promptly changed. |
Operational, Technical, Strategic | ||||
Incident response and crisis management plans | Breach playbooks, crisis contacts, communication drafts, recovery plans and tabletop outcomes. | Restricted Access | Required ICO reports, public notices, law enforcement disclosures, or customer notifications. | Allow time-critical lawful reporting to regulators and affected persons. |
Operational, Strategic | ||||
Compliance audits and regulatory reports | Internal audits, control findings, remediation plans, regulatory correspondence and assurance reports. | Restricted Access | Regulator submissions, legally required reports, public enforcement notices, or protected disclosures. | Do not restrict cooperation with regulators or reporting legal breaches. |
Operational, Personal Data | ||||
Health, safety and environmental risk records | Risk assessments, accident reports, safety audits, exposure records and corrective action plans. | Enhanced Confidentiality | HSE reporting, worker consultation, legal claims, emergency disclosure, or protected disclosures. | Confidentiality must not prevent statutory health and safety reporting. |
Personal Data, Operational | ||||
Employee performance and appraisal records | Objectives, ratings, manager notes, promotion discussions, development plans and warnings. | Special Handling Required | Employee access rights, legal claims, union representation, or authorised HR disclosure. | Limit access to HR, managers and others with a genuine need to know. |
Strategic, Operational, Personal Data | ||||
Redundancy, restructuring and workforce plans | Selection pools, scoring matrices, consultation plans, headcount models and proposed role changes. | Restricted Access | Collective consultation, employee representation, legal claims, regulator disclosure, or statutory notices. | Do not prevent statutory consultation or employees taking advice on redundancy rights. |
Personal Data, Operational, Strategic | ||||
Equality, diversity and inclusion data | Diversity monitoring, pay gap analysis, disability adjustments and discrimination complaint data. | Special Handling Required | Equality reporting, legal claims, protected disclosures, employee rights, or anonymised statistics. | Protect individual data while permitting lawful equality and discrimination rights activity. |
Operational, Strategic | ||||
Internal communications and unpublished announcements | Internal emails, Slack messages, intranet drafts, town hall notes and staff announcements. | Standard Confidentiality | Public announcements, lawful evidence disclosure, whistleblowing, or employee consultation materials. | Avoid treating all workplace conversation as confidential without a business reason. |
Operational, Commercial | ||||
Training materials and internal methodologies | Sales scripts, training decks, coaching materials, onboarding courses and service frameworks. | Standard Confidentiality | Public training content, general professional skills, independently created materials, or licensed content. | Separate employer materials from employee's retained general experience and skills. |
Commercial, Strategic | ||||
Competitor intelligence and market analysis | Market maps, competitor pricing analysis, SWOT reports, win-loss analysis and positioning notes. | Enhanced Confidentiality | Public market reports, independently researched information, lawful observations, or third-party publications. | Exclude unlawfully obtained competitor information and remind staff not to misuse others' secrets. |
Commercial, Operational | ||||
Partner, reseller and affiliate information | Partner margins, reseller lists, referral terms, channel strategy and co-marketing plans. | Enhanced Confidentiality | Public partner directories, authorised joint announcements, lawfully received information, or public terms. | Include confidentiality duties owed to partners and channel participants. |
Financial, Operational, Strategic | ||||
Insurance, claims and risk information | Policy limits, claim files, loss histories, risk registers and broker communications. | Enhanced Confidentiality | Regulator disclosure, court proceedings, insurer requirements, legal claims, or public filings. | Protect claim strategy and privileged material separately from routine policy documents. |
Financial, Strategic | ||||
Tax planning and HMRC correspondence | Tax advice, transfer pricing files, VAT positions, PAYE issues and HMRC enquiry correspondence. | Restricted Access | HMRC disclosure, statutory reporting, legal proceedings, whistleblowing, or published tax strategy. | Do not prevent reporting tax evasion or other unlawful conduct. |
Financial, Operational | ||||
Banking and payment information | Bank details, payment files, merchant IDs, card processing data and treasury instructions. | Special Handling Required | Bank-required disclosure, fraud reporting, legal compulsion, auditor access, or authorised processors. | Apply segregation of duties and secure handling to prevent fraud and misuse. |
Financial, Personal Data, Operational | ||||
Payment card and cardholder data | PANs, cardholder names, expiry dates, transaction logs and payment support records. | Special Handling Required | Processor access, chargeback handling, fraud reports, legal compulsion, or properly tokenised data. | Reference PCI DSS obligations where the employer handles cardholder data. |
Commercial, Financial, Strategic, Personal Data | ||||
Virtual data room materials | Due diligence folders, access logs, investor Q&A, disclosure bundles and indexed documents. | Restricted Access | Public filings, investor-approved releases, compelled disclosure, or information disclosed under separate NDA. | Control downloads, screenshots, forwarding and access after the project ends. |
Technical, Operational, Personal Data | ||||
Remote working and device access information | VPN profiles, device configurations, endpoint logs, remote desktop settings and access permissions. | Restricted Access | Employee personal content, lawful monitoring notices, IT support access, or security incident disclosure. | Coordinate NDA wording with IT, monitoring and BYOD policies. |
Personal Data, Operational, Technical | ||||
Employee monitoring and workplace analytics data | Access logs, productivity metrics, CCTV records, call recordings and keystroke analytics. | Special Handling Required | Subject access rights, disciplinary evidence, legal claims, regulator requests, or transparency duties. | NDA clauses must not conceal monitoring from workers where transparency is required. |
Personal Data, Commercial, Operational | ||||
Customer support records and call recordings | Tickets, chat logs, call recordings, complaints, refund notes and account recovery records. | Special Handling Required | Subject access rights, complaint handling, legal claims, regulator disclosure, or anonymised trends. | May contain customer personal data, payment data and commercially sensitive complaint patterns. |
Commercial, Strategic | ||||
Unreleased communications and PR plans | Press statements, crisis Q&A, social calendars, embargoed announcements and spokesperson briefs. | Enhanced Confidentiality | Published statements, journalist-authorised releases, public posts, or legally required notices. | Mention embargoes and authorisation rules for external communications. |
Personal Data, Operational, Strategic | ||||
Data protection assessments and privacy risk records | DPIAs, LIA assessments, privacy risk logs, mitigation plans and processing maps. | Restricted Access | ICO consultation, subject rights, statutory records, legal claims, or regulator disclosure. | Protect security and risk details while allowing statutory accountability obligations. |
Personal Data, Operational, Technical | ||||
Personal data breach records | Breach logs, containment steps, affected individuals, root cause analysis and notification drafts. | Special Handling Required | ICO notifications, affected person notices, law enforcement, legal claims, or processor reporting. | NDA terms should preserve urgent breach reporting and notification duties. |
Technical, Commercial, Personal Data | ||||
Internal databases and structured datasets | CRM databases, product catalogues, data warehouses, analytics tables and curated datasets. | Restricted Access | Open data, licensed public datasets, anonymised extracts, or independently compiled datasets. | Define extracts, exports, screenshots and database schemas as confidential where appropriate. |
Technical, Operational | ||||
API, integration and platform configuration | API endpoints, integration maps, webhooks, configuration files and environment variables. | Restricted Access | Public API documentation, open standards, customer-approved integration guides, or open-source configs. | Treat secrets, tokens and live environment details as special handling. |
Cloud infrastructure and hosting configuration | Cloud architecture, IAM policies, network rules, backups, regions and deployment pipelines. | Restricted Access | Public status pages, published architecture summaries, lawful audit disclosure, or vendor support access. | Include diagrams and runbooks that could expose attack paths or resilience weaknesses. |
Backup and disaster recovery information | Backup schedules, recovery keys, restore procedures, resilience tests and continuity runbooks. | Restricted Access | Auditor review, regulator disclosure, emergency access, or vendor recovery support. | Protect recovery credentials and ransomware response details with special handling. |
Operational, Commercial, Personal Data | ||||
Outsourcing and service provider information | Service levels, processor details, escalation contacts, audit rights and supplier risk assessments. | Enhanced Confidentiality | Regulator disclosure, customer contract disclosure, processor instructions, or published supplier lists. | Account for third-party NDAs, data processing agreements and subcontractor controls. |
What Information Should A UK Employment NDA Protect?
An employment NDA should group confidential information by business function, such as commercial, financial, technical, operational, personal data and strategic information. The most sensitive categories usually include trade secrets, source code, unreleased products, M&A plans, pricing strategy, customer lists, payroll data and special category personal data.
When Is Extra Protection Needed?
Use Restricted Access or Special Handling Required where disclosure could cause serious commercial, legal or data protection harm. In the UK, personal data must be handled consistently with UK GDPR and the Data Protection Act 2018, and trade secrets may be protected where reasonable steps are taken to keep them secret.
What Exclusions Should Be Included In An Employment NDA?
Common exclusions should cover information that is already public, previously known to the employee, independently developed without using the employer's confidential information, lawfully received from a third party, or required to be disclosed by law, court order or regulator.
How Should Employment NDAs Be Drafted For UK Use?
- Define categories precisely: avoid vague wording by listing practical employment examples for each information type.
- Separate personal data: confidentiality clauses should not override statutory data protection duties or employee rights.
- Identify trade secrets: expressly mark high-value secret know-how, formulas, algorithms and business methods as requiring restricted access.
- Preserve lawful disclosures: NDAs should not prevent whistleblowing, protected disclosures, regulatory reporting or disclosures required by law.
- Match handling to risk: board papers, security credentials, source code, bid strategy and HR investigation material normally need tighter access controls than routine internal policies.
Want to Generate Your own Employment Non-Disclosure Agreement?
Docaro AI can help you write your own Employment Non-Disclosure Agreement for use in the United Kingdom in minutes.
FAQs
Typical categories include trade secrets, financial data, customer lists, supplier details, business plans, pricing, technical know-how, software, product information, and internal policies.
Show All FAQs
You Might Also Be Interested In
Explore United Kingdom employment NDA use cases for protecting workplace secrets, staff data, and confidential business information.
Explore common clauses in UK employment NDAs, including confidentiality, disclosure limits, exclusions, and enforcement terms.