Briefing Note - Medibank Private Limited v McClure [2026] FCAFC 38

This briefing note sets out an overview of the decision in Medibank Private Limited v McClure [2026] FCAFC 38, including key implications for employment, industrial relations and safety practitioners.

Executive Summary

In practice, organisations are increasingly dealing with matters that require proactive or post‑incident reviews, spanning legal, regulatory, governance and risk considerations. Frequently, these reviews are commissioned at board level or CEO level and structured through lawyers, with an expectation that the resulting report will attract legal professional privilege.

Medibank v McClure is a timely reminder that, when assessing privilege, courts will look past labels and engagement structures and focus instead on what an organisation was objectively trying to achieve in commissioning the review.

In this decision, the Full Federal Court confirmed that even where lawyers are involved, litigation is anticipated and senior executives genuinely believe the dominant purpose is for legal advice, privilege can still fail if the work also serves broader commercial purposes – such as governance, remediation, regulatory engagement or public/customer accountability. In Medibank's case, public statements, engagement with the regulator (APRA) and the way Deloitte's work was embedded into a wider response framework all pointed to the reports being part of an overall business response, rather than primarily a legal one.

This decision is particularly relevant in crisis scenarios – cyber incidents, misconduct investigations, regulatory breaches or cultural reviews – where organisations inevitably juggle legal, operational, reputational and regulatory considerations at the same time. The case reinforces that these mixed purposes create real privilege risk, especially where communications are public, there is a regulatory overlay or reviews are closely tied into board‑level governance processes. Even where there is early clarity about purpose, disciplined communications and careful coordination across functions when commissioning and using external reviews, the risk of not cloaking a confidential report with legal privilege is always alive.

What happened?

Over the period August to October 2022, Medibank experienced a cyber incident in which one or more cyber rogues accessed its IT systems and exfiltrated customer data (the Incident).

In response to the Incident, Medibank's internal teams and external advisers (including the law firm King & Wood Mallesons (KWM)) became engaged in a broader response exercise. This exercise involved several workstreams including internal investigation, technical containment, communications planning, regulatory notification and legal advice.

Medibank engaged a range of external experts. This included the engagement of Deloitte (through KWM) to investigate the Incident. Deloitte prepared three reports as part of the engagement – the 'Post Incident Review' report, the 'Root Cause Analysis' report and a report directed to compliance with APRA Prudential Standard CPS 234 (the Deloitte Reports).

The applicants in a consumer class action claim brought against Medibank in relation to the Incident sought production of the Deloitte Reports. Medibank resisted production on the basis that the Deloitte Reports were subject to legal professional privilege.

At first instance, Justice Rofe of the Federal Court of Australia found that the objective circumstances indicated that the Deloitte Reports had not been commissioned for the dominant purpose of obtaining legal advice or for anticipated legal proceedings, and so the Deloitte Reports were not protected by legal professional privilege (see : McClure v Medibank Private Limited [2025] FCA 167).

Medibank sought leave to appeal this decision.

What was decided on appeal?

The Full Federal Court (of Wigney, Lee and Hespe JJ) unanimously dismissed Medibank's application for leave to appeal Justice Rofe's decision.

In applying the 'dominant purpose' test, Justice Lee (with whom Wigney and Hespe JJ agreed) restated the following accepted legal principles¹.

• First, there can be multiple purposes for which a document is created. The existence of more than one purpose does not defeat a claim for legal professional privilege.
• Second, the 'dominant purpose test' requires an assessment of which purpose is the most dominant. This is an "evaluative and hierarchical" assessment. For there to be legal professional privilege, the legal purpose must prevail over all other purposes.
• Third, the 'dominant purpose test' is an objective one. An application of this objective assessment found the following:
  • The Deloitte Reports were commissioned for a legal purpose. This was evidenced by Deloitte's engagement through KWM, the engagement letter referring to legal advice and anticipated litigation, KWM's involvement in shaping the terms of reference, and the subsequent use of the reports in legal proceedings. However, the Full Court reaffirmed that "a self-characterisation or mere incantation of 'dominant purpose'" is not, on its own, determinative. Courts must look beyond this to ascertain dominant purpose.
  • The direct evidence of Medibank's senior offices, being its Chair, CEO and General Counsel, was important but not definitive. Although they gave evidence that the dominant purpose of the Deloitte Reports was to obtain legal advice, Justice Lee observed that "while relevant, it is not enough that a party or its officers honestly say, or even honestly believe, that the legal purpose was dominant." Their evidence alone could not establish the "whole of Medibank's institutional purpose", and, in matters such as the Incident, where there were a wide range of "actors" (including the board, the cyber response committee, the executive leadership team, the external affairs function, the legal team, risk and governance personnel, technical consultants and regulators) the dominant purpose inquiry could not ignore that institutional complexity and had to be assessed by reference to the organisation's objective purpose as revealed by contemporaneous acts and records.
  • Medibank made various public statements regarding the engagement of Deloitte, which the applicants' argued was evidence that the legal purpose was not the dominant purpose. This included an ASX announcement on 7 November 2022, which stated (among other things) that Medibank had engaged Deloitte to "learn from this event", that "lessons learned" would be implemented, and key outcomes would be shared "where appropriate". Justice Lee observed that Justice Rofe was entitled to place significance on what Medibank was "telling the world", particularly given the timing and content of this statement. He agreed that the statement supported the primary judge's conclusion that the legal purpose "was not the only, and perhaps not the prevailing, purpose".
  • Medibank engaged with APRA (as the relevant Regulator) regarding the terms of reference for Deloitte's review. Medibank did not simply notify APRA of the review but had "active engagement" with them.
  • Deloitte's review was embedded within a broader governance structure, which was aimed at responding to the Incident, and was part of a programme of work that was overseen by the Board.

This objective assessment found that the Deloitte review (which led to the creation of the Deloitte Reports) was within a larger system of governance, public communication and regulatory engagement. Although a purpose of the Deloitte Reports was for the provision of legal advice and for anticipated litigation, it was not the dominant purpose. Accordingly, the Full Court did not disturb the primary judge's finding that the Deloitte Reports did not attract legal professional privilege.

What are the key implications for employment, industrial relations and safety practitioners?

Organisations frequently engage external experts to consider and provide opinions on a range of matters. This includes workplace investigations into individual grievances, broader cultural reviews, and crisis response scenarios that span governance, regulatory and legal risk, often involving multiple 'actors' across the organisation. Commonly, the reviews are commissioned at board-level, and employment, industrial relations and safety practitioners may have a key role in reporting to the Board and managing the review.

Often the intention is for the reports produced in these investigations and/or reviews to be subject to legal professional privilege such that the contents cannot be used as part of any legal proceedings.

While privilege will always turn on its own facts, the decision provides useful guidance on managing privilege risk in complex, multi‑disciplinary reviews. In light of this decision, practitioners should keep the following in mind:

• Internal and external communications regarding the engagement of the expert should consistently indicate that the dominant purpose of the engagement is to obtain legal advice and/or for anticipated litigation. Other purposes can be stated, but the language of the statement should then make it clear that these purposes are not the dominant purpose.
• The engagement of the expert should ideally be done through external lawyers, and the engagement documents should clearly set out the purpose. Although this was not a definitive factor in this decision, the Court did consider it to be relevant and so we recommend that practitioners adopt this practice to clearly set expectations.
• The engagement with the expert should be arranged so that it is separate, to the extent practical, from other processes (e.g. regulatory engagement or governance frameworks).
• If a claim for privilege is being made as part of any proceeding, it will be useful to be able to provide evidence from a range of "actors" (i.e. other than the Board or executive team) to better demonstrate the institutional purpose of the organisation in engaging the external expert.

Footnote

1. Esso Australia Resources Ltd v Commissioner of Taxation [1999] HCA 67.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.