The Full Federal Court’s recent decision in Medibank Private Limited v McClure [2026] FCAFC 38 (Medibank v McClure), is a reminder that the Court will apply the “dominant purpose” test rigorously when assessing legal professional privilege (LPP) over investigation reports. Labels, public framing and even the involvement of external lawyers will not be determinative if, viewed objectively, the substance of the engagement does not support a dominant legal purpose.

Between August and October 2022, Medibank Private Limited (Medibank) suffered a serious cyber incident, involving unauthorised access to its IT systems and customer data exfiltration.

Medibank’s lawyers engaged Deloitte Risk Advisory (Deloitte) to conduct an external review, with the engagement letter stating that Deloitte was engaged “for the dominant purpose of providing assistance” to enable legal advice. Deloitte produced three reports that Medibank claimed LPP over: a Post Incident Review (PIR); a Root Cause Analysis; and an APRA Prudential Standard CPS 234 compliance report.

Prior to Deloitte’s formal engagement, Medibank issued an ASX announcement committing to a review to “learn from this event” and to “strengthen our ability to safeguard our customers”, promising to share key outcomes. Medibank also engaged APRA in settling the review’s scope and governance, which was embedded in a Board-level governance framework.

First Instance Decision

The primary judge considered LPP claims over the Deloitte reports. Medibank’s Chairman, CEO, General Counsel and an external solicitor gave evidence that the dominant purpose was obtaining legal advice for anticipated class actions and regulatory proceedings.

However, the primary judge found Medibank had not established the dominant purpose test. The objective circumstances revealed multiple substantial purposes of comparable or greater significance: a public accountability and “lessons learned” purpose (reflected in ASX announcements); a regulatory and prudential compliance purpose (through engagement with APRA); and a governance and institutional purpose (reflected in Board oversight). The legal purpose did not prevail over these other purposes.

The primary judge also held that, alternatively, privilege in part of the PIR report had been waived by Medibank’s public statements describing Deloitte’s recommendations.

Full Federal Court Appeal

The Full Court unanimously dismissed Medibank’s application for leave to appeal. The Court confirmed the “dominant purpose” test requires the legal purpose to be the “ruling, prevailing or most influential” purpose, with three key principles :

1. The existence of multiple purposes does not automatically defeat LPP;
2. The mere existence of a legal purpose is insufficient, it must predominate; and
3. The inquiry is objective, such that an honest belief that the legal purpose was dominant by a party (or its officers) is not sufficient. 

The purpose must be assessed objectively, considering the evidence, the nature of the document, and the parties’ submissions. Even if a document is “channelled” through solicitors, drafted under a law firm retainer, and used for legal advice, it may not attract LPP if, objectively, its predominant purpose was something else or if another substantial purpose outweighed the legal one.

Dominant Purpose and Evidence

Medibank argued that by accepting the evidence of the relevant decision-makers, the primary judge was bound to find that the legal purpose predominated.

The Full Court rejected this, holding that subjective evidence of witnesses is significant but not determinative. The Full Court observed that evidence from the Chairman, CEO and General Counsel did not necessarily capture Medibank’s entire institutional purpose. As a major public company responding to a crisis, Medibank acts through a multiplicity of structures, processes and actors. The dominant purpose inquiry cannot ignore this institutional complexity.

Multiple Purposes and Solicitor Engagement

The Full Court rejected Medibank’s argument that the primary judge wrongly elevated collateral or incidental consequences into co-equal purposes. The Court distinguished between treating any non-legal purpose as disqualifying (error) and evaluating whether non-legal purposes are too substantial to be treated as incidental (the correct approach).

The primary judge correctly evaluated that the public-facing “learn from this event” purpose and the APRA purpose were of comparable or greater significance, so the privilege claim failed. The dominant purpose inquiry was answered by reference to the whole institutional setting, not merely the formal engagement channel.

Public Statements and ASX disclosures

The Full Court found the primary judge was entitled to consider how the review was publicly framed at commissioning. Medibank’s ASX announcement, framing the review in terms of “learning”, strengthening customer safeguards and sharing outcomes, was relevant evidence of the review’s objective purpose, not merely later inconsistency for waiver purposes.

APRA and Regulatory Engagement

The Court rejected Medibank’s characterisation that regulatory engagement was simply a practical step in furthering an already-crystallised legal purpose. Engagement with APRA materially shaped the scope, governance and substance of the review.

Board Oversight

The Full Court found the primary judge was entitled to treat Board oversight as consistent with the review serving substantial governance purposes beyond legal advice.

On the waiver issue, the Full Court unanimously agreed the primary judge had erred in finding that privilege in part of the PIR report was waived by Medibank’s ASX announcements.

Waiver turns on whether conduct is inconsistent with maintaining confidentiality, not merely referencing the privileged process generally in a public statement. 

Key Takeaways

Medibank v McClure clarifies the limits of LPP over third‑party investigation reports in crisis and regulatory contexts:

• Engagement letters and retainer language are necessary but not sufficient: Courts look beyond formal retainer language to objective circumstances. If self-characterisation in an engagement letter were determinative, “privilege would become a matter of drafting rather than substance.”
• Public statements at commissioning carry significant weight: Contemporaneous explanations (ASX announcements, media releases) become evidence of actual purpose. Communications and legal teams should stay in close contact from the outset to thoroughly document at the purpose and scope of the engagement.
• Regulatory engagement that shapes the scope and governance of a review counts against privilege: Where a regulator is actively involved in settling the terms, scope and/or governance of a review, that involvement supports a finding that the review serves a substantial regulatory purpose.
• Board and governance integration matters in assessing dominant purpose: Embedding external reviews in board and executive governance frameworks, where the board expects to use findings for decision-making and oversight, indicates the review serves governance purposes beyond legal advice.
• Commission separate reports for separate purposes: Organisations should consider commissioning separate regulatory, governance and legally directed reports. Combining multiple purposes in a single document makes it harder to establish a dominant legal purpose.
• Waiver requires more than general public references: The Full Court clarified that privilege is not waived by high‑level public statements that a review produced findings and recommendations without disclosing their substance.