The recent Federal Court decision of Robertson v Singtel Optus Pty Ltd considered (amongst other things) whether an independent report commissioned by Optus was protected from disclosure by legal professional privilege.

Following a cyberattack on the Optus database in September 2022, Peter Robertson and Elizabeth Fortune (Applicants) commenced a class action against Optus alleging breaches of contract, privacy and telecommunications and consumer laws. As part of the proceeding, the Applicants sought an order for discovery of an independent ‘root cause’ report which Optus had engaged Deloitte to prepare following the cyberattack (the Report).

Optus sought to withhold the Report from disclosure on the grounds that it was subject to a valid claim of legal professional privilege. Legal professional privilege operates to protect confidential documents and / or communications from disclosure which were made for the dominant purpose of giving or obtaining legal advice in or for the purposes of litigation or arbitration.

Optus argued that the Report was subject to legal professional privileged because it was prepared on instructions from and for the dominant purpose of assisting the general counsel of Optus advise the Optus Board on the various complex legal matters surrounding the cyberattack.

The issue before the Federal Court was whether the dominant purpose for which the Report was produced was in fact one which was protected by privilege. Justice Beach determined that it was not.

In reaching his decision Beach J outlined the key common law principles regarding legal professional privilege, and reiterated that the ‘dominant purpose’ is a question of fact to be ascertained objectively, taking into account the context and intentions of the initiator / author of the document.

Based on public statements made by the CEO and Optus Board, and the subjective intention of Optus’ general counsel (as ascertained from emails and internal resolutions circulated to the Optus Board regarding the Report), Beach J was not satisfied that the dominant purpose of the Report was related to legal advice or litigation.

Rather, His Honour found that the Report was procured and prepared for multiple purposes, including:

1. to assist with providing legal advice to the Optus Board including advice about litigation or regulatory proceedings;
2. to identify the circumstances and root causes of the cyberattack for ongoing management and rectification purposes; and
3. to review the internal management of cyber-risk in relation to Optus’ policies and processes.

As such, and because Optus had failed to establish that the dominant purpose of the Report related to the giving of legal advice or litigation, it was not protected by legal professional privilege from disclosure to the Applicants.

This case is a helpful reminder that when commissioning a report, careful consideration should be given to the purpose and where multiple purposes exist, separate reports may be required to protect any legal advice from future disclosure in any legal proceedings.

The full decision is located here.