30/04/2026
Legal professional privilege (LPP) protects confidential information, documents and communications, between a lawyer and a client made for the purpose of providing legal advice or services.
Issues surrounding LPP arise when documents address a wider-range of topics beyond just providing legal advice or services. This is the core issue in the recent case of Medibank Private Limited v McClure [2026] FCAFC 38.
Background
In 2022, Medibank suffered a major data breach where cyber criminals gained access to and released 200GB of data which affected approximately 9.7 million current and former customers. The information stolen included personal medical histories, Medicare, passport and driver licence numbers. There were a series of Medibank reports from and communications with third parties that followed this cyber incident.
The data breach sparked a major class action against Medibank and it was during this that the multiple reports relating to the data breach were requested. Medibank claimed and successfully defended challenges to LPP for many of these reports however issues arose in relation to three wide-ranging reports from Deloitte which covered a legal purpose among other things.
The Court found that three reports from Deloitte were not protected by LPP. The reasoning for this was that the reports had multiple purposes relating to the investigation of the cyber incident and although there was an element of legal advice this was not the primary purpose of the reports. The Court assessed the issue of LPP in relation to the context of the report including why it was commissioned, for what purpose and if that report evolved from the original purpose.
It was found that LPP did not apply to reports that were not created for the sole purpose of supporting legal advice even if there was an equally dominant element of legal purpose contained in the report.
The findings from this case are largely consistent with other similar cases, notably Singtel Optus Pty Ltd v Robertson [2024] FCAFC 58. See here for more information on the Optus case AIC flexes regulatory muscles on Optus for 2022 Data Breach.
What this means for you?
It is unlikely that businesses are able to reliably claim LPP over investigation reports that cover a range of purposes, especially where the legal purpose is not the primary purpose of the report.
For LPP to apply, the legal purpose of the report must outweigh all other purposes. In assessing this, the Court can review the context in which the document was created or commissioned.
Generally, if a report is made for the for the purpose of providing legal advice or services and the report delivered on that purpose it should be protected by LPP. Documents that do not meet this standard are at risk of not being protected by LPP.
In the case of cyber incidents, it is important to have a robust internal Data Breach Response Plan with clear instructions on individual’s responsibilities as well as external communication and disclosure. In the case of Medibank Private Limited v McClure, Medibank made public statements regarding investigation reports which essentially waived the privilege over one of the Deloitte reports.
GL’s Privacy team are experts in all matters privacy and can help you in preparing your business against any privacy risks so you don’t become the next Medibank.