Privilege claims put to the test: Dominant purpose unmasked

In Medibank Private Limited v McClure [2026] FCAFC 38, the Full Court of the Federal Court refused an application for leave to appeal, reaffirming the strict application of the dominant purpose test for legal professional privilege in the context of forensic reports obtained in response to a cyber incident.

The decision provides important guidance for businesses intending to commission third-party investigations following an incident, particularly those involving regulatory, governance and public interest considerations.

Background

In October 2022, Medibank Private Limited (Medibank) identified that it had suffered a high-profile ransomware cyber incident. This involved unauthorised access to, and exfiltration and publication of, customer data. Medibank enacted its crisis management protocol and retained King & Wood Mallesons (Mallesons) to advise on anticipated litigation and regulatory exposure.

At the same time, Deloitte Risk Advisory (Deloitte) was engaged to prepare the following reports:

• a post-incident report;
• a root cause analysis report; and
• a report addressing compliance with APRA Prudential Standard CPS 234.

Affected customers commenced class action proceedings against Medibank and sought access to various reports prepared for Medibank by Deloitte and other vendors. In response, Medibank asserted legal professional privilege over those reports, contending that they were commissioned for the dominant purpose of enabling its lawyers to provide legal advice in relation to anticipated class action and regulatory proceedings.

A critical issue was whether that legal purpose prevailed as the ‘dominant purpose’, or whether it had been overridden by some other purpose.

First instance decision

At first instance, the Federal Court rejected Medibank’s privilege claims over the Deloitte reports (while upholding privilege claims over reports by other vendors). While the primary judge accepted that obtaining legal advice was one purpose for commissioning the Deloitte reports, her Honour held that Medibank had failed to establish that it was the dominant purpose.

Significant weight was given to contemporaneous objective circumstances, including:

• public statements framing the external review as an exercise in “learning from the event” and strengthening customer safeguards;
• engagement with APRA concerning the scope and governance of the review;
• the integration of the review into board-level governance and remediation processes; and
• the compliance-focused aspects of Deloitte’s work.

Her Honour also found that privilege over the post-incident review, had been waived by reason of Medibank’s public statements, albeit in part only.

Appeal

Medibank sought leave to appeal to the Full Court, on the basis that the primary judge erred in concluding that the Deloitte reports were not prepared for the dominant purpose of obtaining legal advice.

In refusing Medibank's application for leave to appeal and dismissing the appeal itself, the Full Court upheld the primary judge’s decision and found that privilege did not apply to the Deloitte reports.

Assessment of ‘dominant purpose’ is objective

The Court reaffirmed that privilege turns on identifying the prevailing, or most influential purpose for which a document was created[i].That inquiry is objective and not determined solely by the subjective intent of those involved[ii].

Whilst the Court accepted that Medibank’s senior executives and lawyers gave honest and consistent evidence that legal advice was contemplated, that evidence was not determinative of the dominant purpose. In the context of a large corporation responding to a cyber incident across multiple fronts, the Court emphasised the necessity in examining the full context, including contemporaneous documents, governance arrangements, and regulatory engagement.

Regulatory, governance and public statements matter

The Court accepted that the structuring of Deloitte’s engagement through Mallesons; the anticipated litigation; and the legitimate legal purposes for which the reports were commissioned supported the conclusion that the reports were, in many respects, for the purpose of assisting Mallesons to advise Medibank on its legal obligations. However, the Court concluded that substantial additional purposes existed from the outset, including regulatory compliance, governance and organisational remediation[iii].

That conclusion was reinforced by Medibank’s public ASX statements, which framed the review as an exercise in “learning”, commitments to sharing outcomes where appropriate, the integration of the review into board‑level governance processes, and APRA’s active involvement in shaping the scope of the reports[iv]. In those circumstances, the Court held that the reports were not conceived as a strictly legal exercise and that the non‑legal purposes ultimately outweighed the asserted legal purpose.

Distinction between purpose and waiver

Medibank contended that the primary judge had erroneously conflated its evaluation of the dominant purpose of the Deloitte reports with an assessment of whether Medibank’s conduct in relation to the reports amounted to a waiver of the asserted privilege.

The Full Court rejected the contention that the primary judge had conflated dominant purpose with waiver. Public statements and regulatory engagement were properly treated as evidence indicative of an objective purpose, with waiver addressed as a separate and later inquiry[v].

Implications

• Dominant purpose test: the test will continue to be determined by reference to all facts and circumstances, including the practical roles a document is intended to serve. The mere involvement of lawyers, anticipated litigation, or genuinely held beliefs or intentions of senior staff are insufficient indicators of intention at an institutional level and not enough to support a finding that legal advice was the prevailing purpose.
• Objective context will be examined: courts will look closely at contemporaneous documents, public statements, governance structures and regulatory engagement to determine institutional intent. An organisation communicating publicly about its response to a cyber incident should be wary of language which could be perceived as prioritising outcomes or purposes (for example, reputational issues or educational findings) above matters of legal compliance or advice.
• Early framing is critical: privilege is highly fact‑specific and dependant on the way an investigation or review is documented and conducted in real time. How it is framed or communicated to internal and external parties and the approach taken to engaging external vendors are key and may later be examined by the court as evidence of purpose.
• Practical steps:to assist with characterising vendor engagements as ones that attract legal professional privilege, a business, its broker, insurer and legal advisers should consider:
  • the structure of engagements to ensure alignment between the lawyer’s scope of works and vendor’s scope of works. The timing of each engagement will also be relevant.
  • tightly controlled internal and external communications to reinforce that vendor engagements are for the dominant purpose of legal advice.
  • pressing for early and continued legal involvement during the life of a vendor’s engagement to help demonstrate that the provision of legal advice is the paramount purpose of the engagement.
  • avoiding unintended disclosure of specifics of any particular engagement to any third party or regulator, including making any commitment to share results externally.
  • that re-engagement of vendors via lawyers, or broadening the scope of a vendor’s engagement following the engagement of lawyers is likely to be scrutinised and may be viewed as an attempt to ‘cloak’ the dominant purpose.

This article was prepared with contributions from Jeremy Pogrebizhsky.