Federal Court of Australia

Medibank Private Limited v McClure [2026] FCAFC 38

ORDERS

THE COURT ORDERS THAT:

1.    The application for leave to appeal is dismissed.

2.    The applicant pay the respondents’ costs.

Note:    Entry of orders is dealt with in Rule 39.32 of the Federal Court Rules 2011.

REASONS FOR JUDGMENT

(Delivered ex tempore, revised from the transcript)

WIGNEY J:

1    The Court is in a position to make some orders today and to give some brief reasons, so I will ask Lee J to deliver the first judgment.

LEE J:

A     INTRODUCTION

2    This is an application by Medibank Private Limited (Medibank) for leave to appeal from orders made rejecting a claim of legal professional privilege over three reports prepared by Deloitte Risk Advisory (Deloitte) following the cyber incident which affected Medibank in late 2022 (McClure v Medibank Private Limited [2025] FCA 167 (PJ)).

3    Because the application for leave was referred to the Full Court to be heard concurrently with the proposed appeal, it is convenient to state reasons in a form which deals both with the threshold question of leave and, to the extent necessary, the merits of the proposed grounds.

4    Although at an earlier stage privilege had been asserted over a broader body of material, the issues were progressively confined. No claim of privilege was maintained in respect of work undertaken pursuant to certain pre-existing engagements, and other categories of documents fell away from controversy.

5    The real contest came to be directed to the three reports prepared by Deloitte, being a “Post Incident Review” report; a “Root Cause Analysis” report; and a report directed to compliance with APRA Prudential Standard CPS 234. It was in respect of those reports that Medibank continued to press its claims of privilege and to resist the conclusion that any privilege had been waived. The primary judge concluded that Medibank had not established that they were commissioned for the dominant purpose of obtaining legal advice: PJ [386]–[407], and especially [405]–[407]. Her Honour further held, in the alternative, that privilege in part of the Post Incident Review report had been waived by reason of Medibank’s public statements: PJ [424]–[446], especially [445]–[446].

6    Leave to appeal is sought on a series of grounds which, although expressed as complaints of legal error, are in substance directed to the evaluative conclusions reached by the primary judge about purpose. In addition to resisting leave, if leave is granted, the respondents seek to rely upon a proposed notice of contention asserting that, if privilege subsisted in any part of the Deloitte reports, it was waived more broadly than the way in which the primary judge found.

B    THE FACTUAL AND PROCEDURAL BACKGROUND

7    The primary judge recorded, in great detail, the chronology of the cyber incident and Medibank’s response to it. Present reference to the relevant events can be brief.

8    Between August and October 2022, Medibank experienced a cyber incident in which one or more cyber rogues accessed its IT systems and exfiltrated customer data: PJ [7], [32]–[41], [46]–[50], [53]. In the immediate aftermath, Medibank’s internal teams, external legal advisers and various technical and communications consultants became engaged in a broad response exercise which was at once legal, technical, regulatory, operational and reputational.

9    The primary judge found that, on 12 October 2022, Medibank’s crisis management processes were activated and Medibank’s General Counsel, Ms Ramsay, engaged King & Wood Mallesons (Mallesons) to provide legal advice in relation to the cyber incident: PJ [35], [38]. At about the same time, CrowdStrike was engaged to assist with identification, counter-response, incident response, investigation and containment services, and Medibank’s External Affairs team separately engaged CyberCX to assist with crisis communications: PJ [36]–[37].

10    By the end of that day, it is clear that Medibank had engaged in several streams of activity which were not reducible to one single legal objective. There was internal investigation, technical containment, communications planning, regulatory notification and legal advice, all occurring in parallel.

11    The primary judge found that, on 13 October 2022, Medibank had published an ASX announcement telling the market that it had been impacted by the cyber incident and had also notified APRA and the OAIC: PJ [42]. By then, Mr Koczkar, the Chief Executive Officer of Medibank, was cognisant of the existence of litigation risk, including class action risk: PJ [43]. But the primary judge also found that in those initial days and weeks Medibank, through internal investigations, was trying to understand what had occurred so that it could make appropriate notifications and disclosures to customers, shareholders, regulators, law enforcement and government agencies: PJ [44]–[45].

12    On 19 October 2022, Medibank received ransom demands and material indicating that customer data had likely been pilfered. Medibank entered another trading halt and released an ASX announcement informing the market of the ransom request and that investigations were ongoing: PJ [49]–[51].

13    On the same day, Medibank staff met with technical and crisis-management consultants, and a solicitor from Mallesons, Mr Gatto, was brought in to advise on potential class actions, regulatory engagement and related issues: PJ [52]–[54]. On 20 October 2022, another ASX release was published by Medibank, noting its commitment to transparency and relevantly stating: “We will learn from this incident and will share our learnings (sic) with others”: PJ [56].

14    The primary judge also referred to a draft board paper circulated on 21 October 2022. Replete with consultant-speak, this identified a phased response architecture extending from immediate containment to a “marathon phase” and then a “new normal phase”: PJ [57]. That paper contemplated, among other things, ongoing requests by regulators for detailed assurance information, the commencement of post-incident review workstreams, external reviews by regulators, “quick-win” governance improvements, prioritisation of data cleansing and management initiatives, and enhanced security awareness and “culture” measures: PJ [57]–[58].

15    The significance of those findings, for present purposes, lies in the fact that they reveal, at a very early point, a broad institutional response in which legal concerns were important but not exclusive.

16    By 25 October 2022, Medibank was publicly confirming that customer data had been taken and that it would continue to provide regular and transparent updates: PJ [62]. Of course, by that time, Medibank’s senior officers regarded litigation and regulatory action as realistic prospects: PJ [63]–[64]. Ms Ramsay considered that Medibank should arrange for an external review so that internal and external solicitors could understand, from a suitably qualified person external to Medibank, the facts of the incident in order to provide legal advice and prepare for legal proceedings: PJ [60], [64].

17    Equally, however, the primary judge found that, on 7 November 2022, Medibank issued an ASX announcement stating, relevantly, that it would commission an external review “to ensure that we learn from this event and continue to strengthen our ability to safeguard our customers” and that Medibank “commits to sharing the key outcomes of the review, where appropriate”: PJ [76]–[78]. Her Honour referred to evidence from Mr Wilkins, Mr Koczkar and Ms Ramsay explaining why the phrase “where appropriate” had been used and why the review was not described publicly as one obtained for legal advice: PJ [79]–[83].

18    Those findings assumed importance in her Honour’s reasons because they showed how Medibank itself chose to explain the review contemporaneously and publicly, at the time of commissioning.

19    The primary judge then traced the processes leading to Deloitte’s engagement. By about 10 November 2022, Mr Gatto had formed the view that Mallesons would need to engage one or more cyber experts to provide expert forensic assistance and to explain the incident in terms the legal team could understand: PJ [84]. Yet at the same time, the primary judge noted a draft “Cyber Incident Program Office” governance flow document in which “Incident Investigation” and “External Review” were grouped together under board and executive supervision, with the stated purpose of conducting “an external and independent review and share findings and lessons with stakeholders (sic)”: PJ [85].

20    On 15 November 2022, Medibank informed APRA that Mallesons had been engaged to act on its behalf and appoint an external provider to perform a review in relation to the cyber incident, identified Deloitte as the preferred provider, and shared draft terms of reference and a proposed governance structure for engaging Deloitte to conduct the external review: PJ [91]. APRA suggested amendments directed to matters including the root cause, control deficiencies, non-compliance with CPS 234 and the effectiveness of Medibank’s response: PJ [92]. The final Deloitte engagement letter was issued later on 15 November 2022. It recited that Medibank had engaged Mallesons to provide confidential legal advice and assistance about legal risks and potential exposures associated with the cyber incident; referred to anticipated class actions and regulatory inquiries; and stated that Deloitte was engaged “for the dominant purpose of providing assistance to [Mallesons]” to enable legal advice and assistance in relation to the cyber incident to be provided to Medibank: PJ [95].

21    Thus, by the time the primary judge came to determine the privilege claim, she was faced with a record which revealed at least the following: (a) there had undoubtedly been early and genuine legal concern; (b) there had been public statements presenting the external review as an exercise in “learning”, customer safeguard enhancement and transparency; (c) there had been deliberate engagement with APRA about scope and governance; (d) there had been governance and operational materials integrating the review into broader organisational reform; and (e) there had been a formal legal retainer through Mallesons using familiar privilege language. The question for her Honour was not whether one or another of these features existed. It was which purpose, considered objectively across the whole of this institutional picture, was dominant.

C    THE RELEVANT LEGAL PRINCIPLES

22    The legal principles were not in dispute either below or before us and for present purposes can be shortly stated. The principal source remains Esso Australia Resources Ltd v Commissioner of Taxation [1999] HCA 67; (1999) 201 CLR 49. As is well-known, in that case the High Court adopted the “dominant purpose” test and rejected a “sole purpose” or “substantial purpose” approach. The expression “dominant purpose” was used to denote the “ruling, prevailing or most influential purpose”: Commissioner of Taxation (Cth) v Spotless Services Ltd [1996] HCA 34; (1996) 186 CLR 404 (at 416 per Brennan CJ, Dawson, Toohey, Gaudron, Gummow and Kirby JJ).

23    Three relevant consequences follow from that formulation: first, the existence of more than one purpose does not, without more, defeat privilege (reflecting the reality that documents in a commercial context are often created in circumstances where more than one consideration is operating); secondly, the mere existence of a legal purpose is insufficient as the legal purpose must predominate; and thirdly, the inquiry is objective and, while relevant, it is not enough that a party or its officers honestly say, or even honestly believe, that the legal purpose was dominant.

24    These propositions have been developed and applied in many later authorities. While it has been observed that the ascertainment of the relevant purpose or purposes involves the application of a so-called “subjective” test, intention and purpose can be, and often are, ascertained from the objective circumstances, and direct evidence from the person claiming privilege may be rejected based on objective circumstances and the fact that a document may be objectively incapable of carrying out the proposed purpose. Ultimately, the question of purpose must be determined objectively, having regard to the evidence, the nature of the document in question and the parties’ submissions: Diawara v National Australia Bank Ltd [2023] FCA 1048 (at [10] per Abraham J).

25    Consistent with this principled approach is the particularly helpful decision of Finn J in Pratt Holdings Pty Ltd v Commissioner of Taxation [2004] FCAFC 122; (2004) 136 FCR 357. His Honour emphasised the purpose of a corporation in procuring a document must be determined by reference to the totality of the evidence, including objective features and contemporaneous documents, and one must be careful not to reason as though the assertions of lawyers or officers are dispositive. The importance of that proposition is acute in a case of the present kind. Medibank is a large publicly listed corporation responding to a crisis across multiple fronts. A court determining the corporation’s purpose in creating documents within that response cannot proceed as though the statements of one or two senior actors exhaust the corporation’s institutional purpose.

26    It is trite to observe that the task is evaluative and requires attention to all the surrounding circumstances, including contemporaneous communications and the practical role the documents were expected to perform. Further, a recurrent theme in the cases is that the involvement of solicitors, even close involvement, does not solely determine the issue. A document may be “channelled” through solicitors, drafted under a retainer with a firm, and later used in the provision of legal advice, but nonetheless fail to attract privilege if objectively its predominant purpose was something else, or if the legal purpose did not prevail over competing substantial purposes: see Pratt Holdings (at 369–370 [45]–[47]).

27    For completeness, it is worth adding that there is a related but distinct body of law concerning waiver. Waiver does not, of course, turn on the dominant purpose for which a document was brought into existence, but on whether later conduct is inconsistent with the maintenance of the confidentiality which the privilege is intended to protect: Mann v Carnell [1999] HCA 66; (1999) 201 CLR 1 (at 13 [29] per Gleeson CJ, Gaudron, Gummow and Callinan JJ); Australian Securities and Investments Commission v Macleod [2024] FCAFC 174; (2024) 307 FCR 332 at (357–360 [129]–[140]). That distinction must be kept steadily in mind. The fact that the same conduct may later bear upon waiver does not preclude its use as evidence of purpose (because it could rationally be probative of that anterior fact in issue). But nor should the tests be conflated. Whether that conflation occurred here is raised by Medibank.

D    MEDIBANK’S PROPOSED APPEAL

D.1     The Character of the Challenge and Overlap

28    Before coming to the proposed grounds themselves, it is worth making two preliminary observations.

29    First, although Medibank’s grounds are couched in the language of legal error, the true character of the appeal emerges starkly, even upon impressionistic examination. Medibank’s essential proposition, repeated in different forms, is that the primary judge accepted the evidence of Medibank’s Chairman, Chief Executive Officer and General Counsel as to purpose, did not find that evidence unreliable, and yet reached a conclusion said to be inconsistent with it. A recurrent submission is that there were “no objective facts inconsistent” with that evidence. Once stripped of its formal packaging, the complaint is that the primary judge did not attach the decisive weight Medibank says should have been attached to the testimony of those witnesses, and attached too much weight to other features of the evidence.

30    It is important to identify that point because the appeal then falls to be analysed in the correct way. This is not a case where the primary judge misstated the governing principles. Nor is it a case where some critical class of evidence was ignored. Although there were a number of quibbles raised in oral submissions with how the primary judge framed some facts, there was no direct and specific attack on her Honour’s material findings. Rather, this is a case where Medibank seeks to recast disagreement with a factual and evaluative synthesis as an error of law. That does not mean the proposed grounds are to be brushed aside. But it does mean that one must be careful not to allow the language of “error of principle” to disguise what is, in substance, a challenge to evaluative findings which were open on the evidence adduced.

31    In the end, many of Medibank’s submissions are directed to demonstrating that individual aspects of the primary judge’s reasoning can be criticised when examined in isolation. But appellate review is not conducted in that manner. The question is whether, taking the reasons as a whole, the evaluative conclusion as to dominant purpose was one that was open, in the sense that no recognisable error is demonstrated. Once it is appreciated that her Honour’s reasoning involved a synthesis of competing considerations, the criticisms advanced reduce to an invitation to prefer a different synthesis. That is not a sufficient basis for appellate intervention.

32    Secondly, numerous proposed grounds have been identified by Medibank, but unsurprisingly in the light of its core theme, the proposed grounds overlap considerably with the same arguments often deployed under different grounds. It is convenient to attempt to group them in a logical fashion, but even having done that, what follows includes some unavoidable repetition.

D.2    Proposed Ground 3: dominant purpose and evidence treatment

33    The first proposed ground (identified as Proposed Ground 3 for some reason) is directed to what Medibank says was the central vice in the reasoning below. Medibank submits that the primary judge accepted the evidence of the relevant decision-makers that the dominant purpose of the Deloitte Reports was to obtain legal advice and assistance in relation to the legal exposure generated by the cyber incident.

34    As to the evidence, Medibank relied upon affidavit evidence from Mr Wilkins, the Chairman of Medibank, Mr Koczkar, its Chief Executive Officer, Ms Ramsay, its General Counsel and Company Secretary, and Mr Gatto, a partner of its external solicitors. “Leave” was apparently sought to cross-examine the Chairman and the Chief Executive Officer, and they were cross-examined. No such “leave” was sought in respect of Ms Ramsay or Mr Gatto, and they were not cross-examined. In the circumstances, although aspects of the evidence of the Chairman and the Chief Executive Officer were tested, the evidence of the General Counsel and Mr Gatto was received without challenge, subject to the ordinary requirement that its proper characterisation and weight be assessed in the light of its content and the surrounding circumstances: PJ [14]–[16], [24].

35    Medibank says the affidavit evidence establishes beyond peradventure that the review was commissioned when litigation was anticipated, was formally retained through Mallesons, and was intended to put the legal team and the board in a position where legal advice could be given on a sound factual footing. One is tempted to respond: well, of course it does, but that is not really the point.

36    More importantly, however, Medibank contends that the primary judge, having accepted this evidence and not identified any contradiction of it by objective facts, was bound in the circumstances to conclude that the legal purpose predominated and her reasoning process in concluding otherwise was infirm.

37    A fair review of her Honour’s judgment demonstrates that the primary judge did accept this interrelated affidavit evidence, including that of Mr Gatto and Ms Ramsay. Of course, this fact is embraced by Medibank, but it is then said, by reference to PJ [24], that aspects of this interrelated evidence were misunderstood or somehow diminished by her Honour as being merely “the singular perspective of lawyers”. Apart from the obvious fact that any witness necessarily gives evidence from their singular perspective, this does not do justice to her Honour’s reasons. At PJ [24], the primary judge was simply making the point that the subjective view as to dominant purpose of lawyers is significant but not determinative. There is nothing in the reasons to suggest that the primary judge was not cognisant that each witness called by Medibank gave consistent evidence both as to their intentions and understandings, including as to the position of the Board. Indeed, the contrary is the case. Medibank’s real complaint is how her Honour used that evidence when it came to the critical reasoning process.

38    The respondents’ answer begins from a different conception of the dominant purpose inquiry. They submit that the primary judge did exactly what authority required her to do. She accepted that the witnesses held the views they expressed. But she also recognised, correctly, that the legal characterisation of purpose was a matter for the court to determine objectively by reference to the totality of the evidence. The respondents rely in this regard on PJ [23]–[24], where her Honour expressly stated that the states of mind of Mr Wilkins and Mr Koczkar were highly relevant but not solely determinative, and where she accepted the submission that the evidence of solicitors, viewed from their singular perspective, did not itself establish that legal purposes predominated overall for Medibank. The respondents say that Medibank’s complaint is in truth a complaint about weight: Medibank wished the primary judge to give controlling significance to the subjective evidence, whereas her Honour, consistently with not least Esso and Pratt Holdings, treated it as one part of a larger evidentiary picture.

39    The respondents are correct, and the proposed grounds are not sufficiently arguable. The first difficulty with Medibank’s argument is conceptual. It proceeds from the premise that, absent a finding that the witness evidence was unreliable, or absent some “objective contradiction”, the court was obliged to treat that evidence as establishing dominant purpose. That is not how the law operates. The question is not whether the witnesses were honest or even persuasive in describing what they thought. The question is whether, objectively viewed, the legal purpose was the ruling, prevailing or most influential purpose. Subjective evidence is important because it may illuminate what was in the minds of those involved; but it does not dictate the legal conclusion in the face of objective circumstances.

40    The second difficulty is that Medibank’s insistence on “no objective contradiction” reframes the inquiry in an unhelpful way. The law does not require a competing purpose to manifest itself through some direct contradiction of witness testimony. Real life is rarely so tidy. Corporate decision-making, particularly in a crisis, does not proceed in watertight compartments; nor does it march in a single file.

41    A report, such as the present, may well be commissioned in circumstances where everyone involved sincerely believes that legal advice is central, while the objective circumstances show that the report is also being brought into existence to serve substantial regulatory, governance, public assurance or operational functions. The court’s task is not to ask whether those functions “contradict” the witness evidence. It is to ask what those functions reveal about purpose. That is precisely what her Honour did.

42    Medibank placed much emphasis on the following objective circumstances: (a) the existence and terms of the retainer letters, which all reflect a desire to ensure any work product was privileged and were consistent with an intention to use the work product for a privileged purpose; (b) the high likelihood of the need for advice in the context of anticipated class action litigation and regulatory investigation; and (c) the character of the reports produced which were apt to be used for a privileged purpose. Such matters were consistent with the testimonial evidence relied upon by Medibank appreciating the need to obtain legal advice based upon the provision of the reports (although this evidence is not, of course, in itself, an objective circumstance).

43    But what also matters is the further objective circumstances identified by the primary judge, which were also of substance. At PJ [77]–[83] her Honour referred to Medibank’s 7 November 2022 ASX announcement stating that Medibank would commission an external review “to ensure that we learn from this event and continue to strengthen our ability to safeguard our customers” and would share key outcomes “where appropriate”. Although evidence was given as to what was meant by this expression, why it would be appropriate to share the outcome of the review with the public if the work product was to be the subject of legal professional privilege was not explained (a point appreciated by her Honour: see PJ [338]). Certainly, no evidence was adduced that those involved in commissioning the review thought there was any prospect that they would contemplate waiving privilege later in relation to whole or part of it.

44    At PJ [91]–[95] her Honour carefully traced the engagement with APRA concerning preferred provider, scope and governance. At PJ [150]–[164] her Honour dealt more broadly with APRA involvement and the regulatory dimension, and at PJ [200]–[210] with the integration of the review into board and governance processes. These matters did not merely sit passively in the background. They were part of the objective matrix from which purpose had to be inferred. Importantly, as her Honour recognised, from 3 November 2022, Medibank was “keen to ensure, if possible, that part of Medibank’s proposed external review would address” APRA’s concerns, including what might be described as “forward-looking” issues and recommendations to prevent recurrence (as was reflected in the scope of the work to be done).

45    The APRA purpose was not “antithetical” to the dominant purpose being as Medibank contended (cf PJ [364]), for one thing, if the review was privileged, an agreement was struck that there was no difficulty in sharing it with APRA while APRA “reviews the information for purposes related to its prudential regulation”. The purposes could co-exist and be complementary. But taken as a whole, particularly given her Honour’s conclusion at PJ [405]–[407], it is evident this was part of the matters to which her Honour was required to have regard in making an overall evaluative finding as to what purpose, if any, was dominant at the time of finalisation of scope and commissioning.

46    Additionally, the role of the Board was also material. As her Honour recorded, the Deloitte review was situated within a governance structure involving Board and executive oversight, including the “Cyber Incident Program Office” framework, and was integrated into processes by which the Board was to be informed of, and oversee, Medibank’s response to the incident: PJ [85], [200]–[210]. That evidence was capable of supporting a conclusion that the review also served broader governance and institutional purposes.

47    The third difficulty is that Medibank’s argument tends to assume that the evidence of the Chairman, Chief Executive Officer and General Counsel necessarily captured the whole of Medibank’s institutional purpose. That assumption is not warranted. A major public company responding to a crisis of this kind acts through a multiplicity of structures, processes and actors. The board, the cyber response committee, the executive leadership team, the external affairs function, the legal team, risk and governance personnel, technical consultants and regulators may all shape the practical work done.

48    The dominant purpose inquiry cannot ignore that institutional complexity. The primary judge was entitled to consider that what these particular witnesses said about purpose, though highly relevant, did not exhaust the corporation’s objective purpose as disclosed by its contemporaneous acts and documents.

49    The fourth and perhaps most telling point is that the primary judge did not in fact ignore or discount the witness evidence in the way Medibank suggests. Her Honour set it out, accepted it, and engaged with it. The dispositive reasoning at PJ [323] was not drafted in a vacuum. It proceeded on the basis that her Honour accepted the evidence given by those involved (including their instructions). The purpose of these paragraphs was to explain why that evidence was not dispositive. The essential reasoning below was not: “I reject what these witnesses say.” It was: “I accept that they held these views, but the objective circumstances show that legal purpose did not predominate overall.” That is a fundamentally different process. It was the process required by authority. For those reasons, proposed Ground 3 does not disclose arguable error.

50    Before leaving this proposed ground, it is worth making a further point concerning Medibank’s reliance upon the asserted absence of challenge to aspects of its evidence.

51    That submission sits somewhat oddly with the position Medibank adopted below by counsel then appearing. Medibank resisted attempts which would have permitted more extensive testing of its evidence and did so by reference to the proposition that “leave” was required to cross-examine on the affidavit evidence read in chief by Medibank. It appears necessary to explain, yet again, that this premise is not an accurate reflection of principle. Whatever may have been the rule of practice in some States prior to legislative change, as I explained in Lantrak Holdings Pty Ltd v Yammine [2023] FCAFC 156 (at [28]), the Evidence Act 1995 (Cth) provides that a party may question a witness unless the Court directs otherwise; the question is not whether leave should be granted to cross-examine, but whether it should be prevented.

52    In those circumstances, it lies ill in Medibank’s mouth to place such weight upon the absence of cross-examination, when it both resisted the occasion for such testing and did so by reference to an incorrect legal premise. But as it happens, the submission is beside the point. The primary judge accepted the evidence of the Chairman, the Chief Executive Officer and the General Counsel. The question for the primary judge was not whether particular evidence was unchallenged, but rather what conclusion should be reached, objectively, as to dominant purpose having regard to the whole of the evidence. The absence of cross-examination on particular matters does not relieve the Court of that evaluative task, nor does it render the asserted purpose dispositive.

D.3    Proposed Grounds 4 to 5: multiple purposes and the asserted primacy of legal purpose including solicitor engagement

53    Proposed Grounds 4 and 5 are directed to two related propositions: first, that the primary judge misapplied the principle that the existence of multiple purposes does not deny privilege; and secondly, that her Honour failed to give proper weight to the solicitor-led nature of the engagement.

54    Medibank submits, correctly as a matter of abstract principle, that the existence of multiple purposes does not prevent privilege from attaching. It says the primary judge erred by treating the existence of regulatory, public-facing, governance or operational purposes as if they were destructive of privilege. Medibank emphasises that, in real commercial life, especially after a major cyber incident, a company exposed to class actions and regulatory scrutiny will necessarily have to engage with solicitors, regulators, the market and its own governance systems simultaneously. It says that the law of privilege does not demand a kind of institutional monomania in which a report must serve nothing but a legal purpose. From that uncontroversial premise, Medibank argues that the primary judge’s analysis wrongly elevated collateral or incidental consequences into co-equal purposes and thereby misapplied the dominant purpose test.

55    There might be thought to be a superficial attraction in this submission, because it begins from the orthodox proposition that documents may have more than one purpose, and one does not deny privilege simply because a report commissioned for legal advice also informs management, or assists a board, or happens to bear upon regulatory questions. But the difficulty for Medibank is that the primary judge did not proceed on the basis of any contrary principle. Her Honour did not say that because the report served some additional function it could not be privileged. Rather, she found that the additional functions disclosed by the evidence were too significant to be treated as incidental. The legal purpose, though present, did not emerge as the prevailing or most influential one. PJ [323]–[338], [351]–[364], [390]–[407].

56    That distinction is decisive. If the primary judge had reasoned that the mere existence of any non-legal purpose destroyed privilege, that would indeed have been error. But that is not what her Honour did. The reasons reveal an evaluative judgment that the public-facing “learn from this event” purpose and the APRA and CPS 234 purpose were not subordinate or adventitious. They were embedded in the way the review was conceived, announced, governed and later used. Her Honour’s task under Esso was to identify whether the legal purpose was dominant. Once she concluded, on the evidence, that the other purposes were of comparable or greater significance, the claim to privilege failed.

57    The respondents correctly submit that Medibank repeatedly says that the primary judge treated “other purposes” as disqualifying and that the primary judge identified not just any other purposes, but substantial purposes expressly disclosed in contemporaneous materials: the public promise of learning and customer safeguard enhancement; the expectation that outcomes would be shared where appropriate; the governance integration of the review; the shaping of scope through regulatory engagement; and the production of a report specifically concerned with prudential standard compliance. These were not minor by-products. They were part of why Deloitte was engaged.

58    A central theme in Medibank’s submissions is that the Deloitte reports were solicitor-commissioned and solicitor-directed, and that the primary judge underestimated the significance of this fact. Medibank emphasises that the formal engagement was made by the solicitors; that the letter of engagement expressly recited legal advice and anticipated litigation; that it stated that Deloitte was engaged for the dominant purpose of assisting the solicitors to provide legal advice and assistance; that the solicitors shaped and adjusted the terms of reference; that the reports were delivered through the solicitors; and that the reports were later used in relation to actual and anticipated legal proceedings. Medibank submits that the primary judge’s observation that the solicitors played only a minor role in some respects of selection and scoping reflected a misreading or underestimation of the evidence and materially skewed the dominant purpose analysis.

59    It should immediately be said that these matters were important. A court should not discount the significance of a formal retainer through lawyers or the role of lawyers in structuring an expert engagement. Where a non-lawyer expert is retained through a firm of solicitors under a retainer expressly directed to legal advice and anticipated litigation, that may be a strong indicator that the legal purpose predominates. If the primary judge had ignored those matters or treated them as irrelevant, that would have been error.

60    But again, that is not what occurred. The primary judge accepted, repeatedly, that legal advice was in contemplation, that Mallesons were involved, and that the Deloitte work would inform legal advice. The issue was whether those features were decisive when set against the wider corporate setting. Her Honour’s answer was that they were not: PJ [351]–[364], [373]–[385], [390]–[407].

61    Medibank’s reliance on authorities such as Mitsubishi Electric Australia Pty Ltd v Victorian WorkCover Authority [2002] VSCA 59; (2002) 4 VR 332 (at 338 [14] per Batt JA) and Singapore Airlines Ltd v Sydney Airports Corporation Ltd [2004] NSWSC 380 (at [18], [19], [21], [30], [33] per McDougall J) does not advance the argument. Those cases recognise that the purpose of a solicitor in commissioning a report is relevant, and often important. They do not establish that such evidence is determinative, still less that it displaces the requirement to assess purpose objectively by reference to all the circumstances. In the present case, the primary judge did precisely what those authorities require and there is no inconsistency with principle.

62    At the risk of repetition, it is well to emphasise that although important (and in some cases decisive) evidence, the law does not accord talismanic significance to a solicitor’s retainer letter. The self-characterisation or mere incantation of “dominant purpose” in an engagement letter cannot determine the issue. If it could, privilege would become a matter of drafting rather than substance. The authorities have long rejected that kind of formalism. A court must look beyond the retainer language to the practical and institutional role the document was intended to play.

63    That is particularly so here. The objective evidence showed that the Deloitte review sat within a larger system of governance, public communication and regulatory engagement. The primary judge was entitled to conclude that, although Mallesons structured the engagement in legal terms, the reports were being brought into existence to do more than provide the factual substrate for legal advice. They were also intended to serve important governance, regulatory and “public-facing” functions.

64    Medibank’s complaint that the primary judge understated the role of the solicitors also does not materially advance the matter. Even if one accepted that the involvement of Mallesons was more extensive than a particular passage of the reasons suggested, that would not answer the core question. The dominant purpose inquiry was answered by reference to the whole institutional setting, not merely the formal channel of engagement. That was the correct approach.

65    There is a broader doctrinal reason why Medibank’s argument should not be accepted. The dominant purpose test is evaluative and hierarchical. It is not satisfied by establishing that legal advice was a serious purpose, or even an important purpose. It requires the legal purpose to prevail over others. Medibank’s submission subtly but impermissibly shifts the focus from whether the legal purpose dominated to whether it simply existed alongside others and was not negated by them. But the right inquiry remained whether, among the purposes shown by the evidence, legal advice was the ruling or prevailing one. The primary judge answered that question against Medibank. That conclusion was not only open; it was, in my respectful view, cogently reasoned.

66    A further answer to these grounds is practical. If one reads the findings at PJ [77], [85], [91]–[95], [150]–[164] and [200]–[210] together, one sees a review which, from its inception, was expected to do several kinds of work: to inform Medibank’s legal position; but also to serve as an instrument of external accountability, internal governance and regulatory response. The law does not deny that one of these may still dominate. But where a trial judge, after hearing and considering all the evidence over no less than three days, concludes that they are too substantial to permit that finding without any discernible error of principle, an appellate court should be slow to intervene.

67    Something should be said about Medibank placing some emphasis on her Honour’s statement at PJ [325], which it characterised as a finding of “two dominant purposes”. That expression is, with respect, inapt, because the law recognises only one dominant purpose in the sense explained in Esso. But nothing turns on the form of expression. When the reasons are read fairly, it is tolerably clear that her Honour was not purporting to identify two co-existing “dominant” purposes in a technical sense. Rather, her Honour was conveying that the legal purpose did not prevail over the other substantial purposes identified, which were of equal or greater significance in the evaluative sense required by the authorities. That was an orthodox application of the dominant purpose test, notwithstanding this infelicity of expression.

68    Proposed Grounds 4 and 5 should therefore be rejected as demonstrating arguable error.

D.4    Proposed Ground 6: public statements and ASX disclosures

69    By Proposed Ground 6, Medibank contends that the primary judge erred in concluding that certain public statements made by Medibank supported the conclusion that the Deloitte review was not brought into existence for a dominant legal purpose.

70    At PJ [77]–[83] her Honour referred to Medibank’s 7 November 2022 ASX announcement, including statements that Medibank would conduct a review to “learn from this event” and to ensure that “lessons learned” would be implemented. Her Honour also noted the qualification that key outcomes of the review would be shared “where appropriate”.

71    Medibank submits that these statements were consistent with a dominant legal purpose and that her Honour erred in treating them as pointing away from privilege.

72    One can readily accept that it is possible for a company to speak publicly about a process, even one commissioned for the dominant purpose of obtaining legal advice, without thereby abandoning privilege. Public statements do not necessarily define purpose. But that is not what the primary judge held.

73    Within the purpose analysis, the primary judge referred to Medibank’s conduct; this was not because any one statement was determinative, but because those statements formed part of the objective circumstances surrounding the commissioning and use of the Deloitte review. Her Honour was entitled to consider the way in which the review was publicly framed at the time it was commissioned.

74    Medibank develops the point in a more particular way in reply, submitting that there was no rational basis for treating those statements as indicative of a non-legal purpose and that her Honour’s reasoning involved an impermissible conflation of dominant purpose with waiver.

75    It is convenient here to deal expressly with the way in which Medibank now seeks to disaggregate the primary judge’s reasoning. In its reply and oral submissions, Medibank identifies a series of steps said to underlie her Honour’s conclusion in relation to the so-called ASX or public purpose, and submits that there was “no rational basis” for critical aspects of that reasoning. That submission should be rejected.

76    The difficulty with the submission is that it proceeds by isolating individual propositions and testing them in the abstract, rather than engaging with the evaluative task her Honour was performing. The question was not whether any one statement, taken in isolation, was logically inconsistent with a legal purpose.

77    Once the inquiry is framed correctly, there is no want of rationality in her Honour’s reasoning. A public explanation of the review in those terms, given at the point of commissioning, was capable of supporting the conclusion that the review was not conceived predominantly as an internal legal exercise. It was part of Medibank’s outward-facing response to the incident. That is how her Honour treated it. The criticism that there was “no rational basis” for that conclusion amounts, in substance, to a disagreement with the weight her Honour attributed to those matters.

78    The primary judge understood that the significance of the public statements here lies in their content and timing. At PJ [77], her Honour set out the 7 November 2022 ASX announcement that Medibank would commission an external review “to ensure that we learn from this event and continue to strengthen our ability to safeguard our customers”, and that Medibank “commits to sharing the key outcomes of the review, where appropriate”. This was not a vague acknowledgment of some background investigation. It was a contemporaneous explanation to the market of why Medibank was commissioning the review. The primary judge was plainly entitled to treat Medibank’s own public articulation of purpose as evidence bearing upon the objective purpose inquiry.

79    The timing of the statement matters. The announcement was made at the stage of commissioning. The precise metes and bounds of the review were still being settled. Deloitte had not yet been finally engaged. This was therefore not merely a later public narrative imposed on a process whose purpose had long since crystallised. It was part of the process by which Medibank itself introduced the review into the world. This cannot be ignored.

80    The content of the statement also matters. The themes of so-called “learning”, strengthening customer safeguards, transparency and sharing outcomes where appropriate were public-accountability and organisational-improvement themes. They pointed to the review as serving an external and managerial function and to the fact it was partly forward-looking. That did not make legal purpose disappear and it is not to suggest that Mallesons may not need to give legal advice in relation to recommendations (consistent with evidence her Honour accepted). But it supported the primary judge’s conclusion that legal purpose was not the only, and perhaps not the prevailing, purpose.

81    The respondents’ answer correctly identifies the flaw in Medibank’s approach. They submit that Medibank seeks to make “a fortress” out of the words “where appropriate”, while failing to grapple with what the public statements actually did. Those statements reassured customers and investors and demonstrated that Medibank was taking externally verifiable steps in response to the breach. The respondents are right to say that the statements were not neutral. They were performative in the institutional sense: they positioned the Deloitte review as part of Medibank’s public response.

82    Moreover, in this part of her reasoning, the primary judge did not rely on the 7 November statement alone. PJ [85] refers to the governance flow document which grouped “Incident Investigation” and “External Review” together and stated as the purpose of the external review that it would “conduct an external and independent review and share findings and lessons”. PJ [159] later refers to public statements about Deloitte’s findings and recommendations and the implementation of recommendations.

83    When those materials are read together, they reveal a review that was not merely hidden within legal advice but actively used as part of Medibank’s external and institutional response. That is not only a sufficient but powerful basis for the primary judge’s conclusion.

84    Finally, Medibank’s argument underestimates the significance of corporate self-description. In a case of this kind, where the company itself publicly says, particularly in a form of contemporaneous writing, what the review is for, a court is entitled to place some significant reliance on what the company is telling the world. The primary judge did not say that Medibank’s public articulation bound it conclusively. She treated it as evidence, and strong evidence, of purpose. That was entirely permissible.

85    Medibank submits that the primary judge reasoned by asking whether Medibank’s conduct was inconsistent with the maintenance of confidentiality, rather than by asking what dominant purpose brought the reports into existence. It points to passages in which her Honour described conduct as “contrary to”, “inconsistent with”, or “antithetical to” the legal purpose being dominant, and submits that this language reveals that waiver concepts infected the dominant purpose analysis.

86    To the extent that Medibank contends that the primary judge’s reasoning was affected by an impermissible conflation of dominant purpose with waiver, that contention should also be rejected. Her Honour did not apply the doctrine of waiver in this part of the analysis. References to inconsistency were directed to the evaluative question whether the review, as publicly articulated and operationalised, served purposes beyond the provision of legal advice.

87    Medibank’s invocation of Osland v Secretary, Department of Justice [2008] HCA 37; (2008) 234 CLR 275 and Mann v Carnell [1999] HCA 66; (1999) 201 CLR 1 does not assist it on this point. Those cases address waiver and the circumstances in which public reference to legal advice or a privileged process may or may not amount to an abandonment of confidentiality. They do not establish that public statements are irrelevant to original purpose. Here the primary judge used the statements not to find waiver at this stage, but as evidence of why the review was being undertaken. That use was orthodox.

88    There is, of course, a genuine danger in this area of reasoning by a sort of conceptual slippage. The language of inconsistency is rooted in waiver. If a court is not careful, it may inadvertently reason that because conduct later looks inconsistent with confidentiality, the document must not have been privileged in the first place. That would indeed be a wrong turn.

89    The primary judgment does not reveal that error. It is true that the same conduct may bear on both purpose and waiver. Public announcements, regulatory sharing and organisational dissemination may tell one something about why a document was commissioned and may also later bear on whether confidentiality was maintained. The legal questions are distinct, but the evidence may overlap. What matters is whether the primary judge kept the legal analysis distinct.

90    The structure of the reasons is itself significant. The privilege analysis occupies PJ [23]–[407]. The waiver analysis is separately addressed at PJ [424]–[446]. Within the purpose analysis, the primary judge referred to Medibank’s conduct (not because later inconsistency with confidentiality itself supplied the legal test, but because that conduct was still probative of purpose). A court is entitled to look at how a report is announced, integrated and later used to infer what institutional functions it was expected to serve from the outset. That is not waiver reasoning by stealth. It is orthodox evidentiary reasoning.

91    Medibank’s complaint, with respect, rests too heavily on particular words detached from context. The fact that her Honour described some conduct in the way she did does not mean she was applying a waiver test. At this point of her reasons, the primary judge was evaluating the evidentiary significance of that conduct against Medibank’s contention that legal purpose prevailed.

92    The respondents are right to submit that the primary judge did not collapse the two inquiries. The waiver issue was addressed separately, and later. There is an insufficient basis for concluding that the primary judge asked the wrong question on dominant purpose.

93     No aspect of proposed Ground 6 discloses arguable error.

D.5    Proposed Ground 7: APRA and the regulatory dimension

94    Proposed Ground 7 challenges the significance the primary judge attached to the role of APRA and the regulatory setting. Medibank’s case is that, by the time APRA became materially involved, the board had already resolved to have an external review for legal reasons. Medibank says that it was commercially sensible and entirely orthodox to ensure that one review could, so far as possible, satisfy both Medibank’s legal needs and any legitimate regulatory interest, thereby avoiding the duplication and distraction of multiple reviews. Medibank submits that the primary judge wrongly treated this practical accommodation as evidence that the review was commissioned for APRA or for a distinct regulatory purpose of equal weight. It also points to the fact that APRA’s suggested additions were not fully incorporated into the final terms of engagement and that the relationship with APRA was structured so as to preserve claims of privilege. On Medibank’s case, those matters strongly suggest that APRA’s role was secondary and derivative, not independently purposive.

95    This argument, again, might be thought to have a patina of attraction but does not withstand analysis.

96    In a heavily regulated field, one would expect a prudent company and its solicitors to think about avoiding duplication and managing regulator expectations. If all that had happened here were that solicitors had settled on an external review for legal purposes and then told APRA of it, one might see force in Medibank’s submission that the regulatory dimension was merely practical and collateral.

97    The difficulty for Medibank is that this is not the factual picture the primary judge found. PJ [91] records that Medibank informed APRA that Mallesons had been engaged to appoint an external provider and shared draft terms of reference and a proposed governance structure. PJ [92] records APRA’s suggested additions directed to root cause, control deficiencies, areas of non-compliance with CPS 234 and the effectiveness of Medibank’s response. PJ [93] records Medibank’s response that those matters would either be considered as part of the external review or dealt with in future reviews or audits. Her Honour later returned to the broader significance of APRA’s role at PJ [150]–[164]. Those findings reveal not a merely passive disclosure to APRA, but an active engagement with APRA about the review’s form and function.

98    The difficulty with Medibank’s submission is that it tends to characterise the involvement of APRA as a matter of subsequent accommodation of a process already fixed in its purpose. That is simply not the picture revealed by the findings of the primary judge. The engagement with APRA occurred at the stage of settling the scope and governance of the review, and involved consideration of matters directed specifically to prudential compliance, control deficiencies and the effectiveness of Medibank’s response. In those circumstances, it was open to her Honour to conclude that the regulatory dimension was not merely incidental or collateral.

99    More fundamentally, the question is not whether APRA forced the review upon Medibank or whether the final retainer exactly mirrored APRA’s suggestions. The question is whether the objective circumstances show that regulatory engagement and prudential compliance were substantial reasons why Deloitte’s work was commissioned and shaped. The primary judge concluded that they were. That conclusion was plainly open.

100    There are two further considerations. First, the existence of a distinct CPS 234 report is of obvious significance. A report directed to prudential standard compliance is not naturally described as an incidental by-product of a legal retainer. It is a strong indicator that regulatory compliance was one of the substantive functions the Deloitte work was expected to perform. Secondly, Medibank’s own explanation that it wished to avoid duplication tends to support, rather than undermine, the primary judge’s analysis. If Medibank wanted one review to satisfy legal, regulatory and perhaps broader governance needs, that suggests a report designed to do several important jobs at once. That does not compel the conclusion that the legal purpose was not dominant, but it is perfectly consistent with the primary judge’s conclusion that the regulatory purpose was substantial and not merely collateral.

101    Medibank’s reliance on efforts to preserve privilege in dealings with APRA also does not carry the argument very far. A company may well seek to preserve confidentiality over documents which nonetheless serve significant regulatory purposes. The fact that privilege is asserted or protected in dealings with a regulator does not tell one, without more, that the documents were created predominantly for legal advice. Once again, Medibank’s argument tends to shift from the question of purpose to the question of maintenance of confidentiality. The primary judge’s focus remained on purpose. In that respect the reasoning was orthodox.

102    Again, Proposed Ground 7 does not arguably expose any analytical error in the primary judge’s reasoning. It merely invites a different factual conclusion about the weight to be attached to the regulatory evidence.

D.6    Proposed Ground 8: Role of the Board

103    By proposed Ground 8, Medibank contends that the primary judge erred in treating the role of the Board in relation to the Deloitte review as a circumstance telling against the existence of a dominant legal purpose. That contention must be rejected. The primary judge did not proceed on the footing that Board involvement was inconsistent with the existence of a legal purpose. Rather, her Honour treated the Board’s role as one of several objective circumstances bearing upon purpose.

104    On the evidence, the Deloitte review was embedded within a governance structure directed to responding to a significant corporate incident. It formed part of a programme of work overseen at Board and executive level, in which the Board sought to be informed of what had occurred, to oversee remediation, and to discharge its responsibilities in relation to risk, compliance and organisational response. The fact that the Board required an external and independent account of the incident, and that the review was integrated into processes by which the Board was to be apprised of findings and recommendations, was capable of supporting the conclusion that the review served substantial governance and institutional purposes beyond the provision of legal advice.

105    It may be accepted that Board involvement was also consistent with the existence of a legal purpose, but that is beside the point. The inquiry was not whether a legal purpose was present, but whether it predominated. The circumstance that the review was commissioned, structured and reported within a framework of Board oversight could support the conclusion that the legal purpose did not prevail.

106    Medibank’s submission ultimately reduces to the proposition that the same facts should have been evaluated differently. That does not identify error.

107    Proposed Ground 8 does not reveal any recognisable error.

D.7    Proposed Ground 9: partial waiver of the PIR Report

108    By proposed Ground 9, Medibank challenges the conclusion that, by its ASX announcement of 28 April 2023, it waived privilege in that part of the Post Incident Review report relating to recommendations to enhance Medibank’s IT processes and systems.

109    In my view, this challenge has force.

110    With respect, the primary judge’s reasoning tends to treat high-level public statements about the existence of findings, recommendations and implementation steps as sufficient to amount to an inconsistency with the maintenance of confidentiality, without identifying any disclosure of the substance or gist of the privileged communications themselves. The authorities make clear that waiver turns on inconsistency, not merely on the fact of reference to a privileged process. A distinction must be maintained between acknowledging, at a general level, that a review has produced recommendations, and deploying or selectively disclosing the content of those recommendations in a way that gives rise to a relevant inconsistency.

111    With respect, I do not think that distinction was sufficiently maintained. The statements relied upon were expressed at a level of generality, did not reveal the reasoning or analysis contained in the report, and were consistent with the position of a listed entity informing the market of matters of significance while preserving its legal position. Nor does the reasoning identify any forensic or other advantage obtained by Medibank in a way that would make it inconsistent to maintain privilege over the underlying material. In those circumstances, the conclusion that privilege was waived in part of the report cannot, with respect, be sustained.

112    However, leave ought not to be granted because nothing ultimately turns on this issue. The finding of partial waiver was not the foundation upon which the primary judge rejected the claims for privilege in respect of the Deloitte reports, but rather an additional and alternative basis for the orders made. The central and determinative conclusion stands independently of any question of waiver.

E    NOTICE OF CONTENTION

113    Although, in the light of the above, it is not necessary to deal with the argument raised by the notice of contention, it is appropriate to say something about it, because the way it was advanced below and on appeal was relied upon as reinforcing the correctness of the ultimate result.

114    The respondents contend that, if privilege did subsist in any part of the Deloitte reports, Medibank waived it more broadly than the primary judge found. The contention is put at a relatively high level of generality. It rests primarily upon Medibank’s public communications concerning the Deloitte review, including statements that it had received Deloitte’s findings, that recommendations had been made, and that Medibank was implementing those recommendations. The respondents also rely upon disclosure to APRA and the internal dissemination of the reports within Medibank. The essence of the submission is that Medibank sought to obtain both forensic and reputational advantage by invoking the Deloitte review, while at the same time maintaining claims of privilege over the underlying documents.

115    Medibank’s answer, however, is not merely a formal denial of inconsistency with confidentiality, but a structured response directed to each of those matters. It submits that its public statements were carefully framed and qualified, including by the repeated use of language such as “where appropriate”, and were directed to high-level descriptions of process and outcome rather than to the substance of the privileged communications themselves. It further submits that disclosure to APRA occurred on an expressly confidential footing, consistent with the preservation of privilege, and that the regulator’s involvement did not entail any abandonment of confidentiality. As to internal circulation, Medibank emphasises that dissemination occurred within the corporate entity and among those whose functions required access to the material, and therefore did not take the documents outside the relevant sphere of confidentiality. Put shortly, Medibank’s case is that none of the conduct relied upon by the respondents answers the question identified in Mann v Carnell [1999] HCA 66; (1999) 201 CLR 1, namely whether there has been a voluntary disclosure inconsistent with the maintenance of the privilege.

116    As noted above, the primary judge accepted a form of the respondents’ argument, but only in relation to part of the Post Incident Review report, concluding that Medibank’s public use of certain recommendations and implementation steps was inconsistent with maintaining privilege over that part: PJ [424]–[446], especially [445]–[446].

117    I have already explained why I respectfully consider the narrower finding of the primary judge to be problematical. It suffices to say the notice of contention does not provide a compelling or obvious alternative basis for affirming the orders below, and does not materially affect the disposition of the application.

F    LEAVE TO APPEAL AND CONCLUSIONS

118    This is an interlocutory application for leave to appeal. Medibank is required to show sufficient doubt to warrant reconsideration and that substantial injustice would result if leave were refused. There is no doubt that the privilege issue is important to Medibank. But importance of consequence does not by itself satisfy the leave threshold. A question remains whether the proposed grounds disclose an arguable error of a kind warranting appellate intervention.

119    For the reasons set out above, they do not (save in one immaterial respect). The primary judge identified the governing legal principles correctly, analysed the evidence in detail, and reached evaluative conclusions that were open on the record. Medibank’s arguments, though carefully put, do not identify any doctrinal misstep. They seek, rather, to reweight the evidence and to replace the primary judge’s synthesis with another more favourable to Medibank. That is not a sufficient basis for leave.

120    It is appropriate to say something briefly about the course this matter has taken. The application before the primary judge occupied no less than three days of court time, generated a very lengthy judgment, and was followed by a substantial application book and around 100 pages of densely typed written submissions accompanied by very extensive lists of authorities. The present application, in turn, has been argued over two days, with six counsel appearing and large teams of solicitors engaged on both sides. The issues concerning legal professional privilege are undoubtedly important, both for the parties and more generally. But the principles are well-known and firmly established. The scale of the resources deployed in resolving this issue over three documents, at both first instance and on this application, invites reflection as to whether such questions might more often be determined in a way that is more proportionate in cost and expedition, consistently with the overarching purpose reflected in Pt VB of the Federal Court of Australia Act 1976 (Cth).

121    With the benefit of hindsight, it may be that this is a leave application I should have dealt with more impressionistically when it came before me at an earlier stage, having regard to the evaluative nature of the dominant purpose inquiry and the limited scope for appellate intervention absent error of principle.

122    These comments are not meant to criticise the careful reasons of the primary judge, nor the diligence with which the parties have advanced their positions. But what has occurred does suggest that, in cases of this kind, there is utility in identifying at an early point (and then at later stages) whether the dispute truly warrants the degree of forensic elaboration which it has here attracted, or whether the issues can be resolved more shortly without loss of fairness or rigour.

123    The application for leave should be refused. If leave were granted, the appeal would, in any event, be dismissed.

124    I would order that: (1) the application for leave to appeal is refused; and (2) Medibank pay the respondents’ costs.

WIGNEY J:

125    I agree with Lee J that Medibank’s application for leave to appeal should be dismissed with costs. I also agree with his Honour’s comprehensive reasons for so concluding.

126    Although Medibank proposed several grounds of appeal and advanced lengthy and detailed submissions challenging various aspects of the primary judge’s reasons, the proposed appeal really raised one essential issue. That issue was whether the primary judge erred in any material respect in concluding that Medibank had not discharged its onus of proving that the external reports over which it claimed legal professional privilege were commissioned for the dominant purpose of Medibank obtaining legal advice from its solicitors.

127    Having painstakingly analysed and evaluated the voluminous evidence and submissions of the parties, the primary judge concluded that the reports had been commissioned for several purposes. The legal purpose was one of those purposes, but was not the dominant purpose.

128    Despite the microscopic parsing and analysis of the primary judge’s reasons for judgment, and the thorough excursion through the evidence in Medibank’s written and oral submissions, I am not persuaded that her Honour’s conclusion in that regard is attended by sufficient doubt to warrant reconsideration by the Full Court, essentially for the reasons as articulated at length by Lee J. Nor am I persuaded that Medibank’s proposed grounds of appeal are sufficiently arguable to warrant the grant of leave to appeal.

HESPE J

129    I too agree with the orders proposed by Lee J. For the reasons given by Lee J, I am satisfied that the primary judge’s conclusions in relation to dominant purpose were the product of orthodox application of established principle.

130    I also agree with Lee J that the primary judge erred in relation to waiver. However, that error did not affect the central and determinative conclusion in relation to dominant purpose. I, therefore, agree that this is not a case in which the primary judge’s judgment is attended with sufficient doubt to warrant the grant of leave to appeal.

Associate:

Dated:    7 April 2026