Breach Registers – will they be privileged from production? 

02 March 2022

In our December summary of ASIC enforcement priorities, we highlighted the amendments to section 912D of the Corporations Act – which now makes it mandatory to report certain breaches of that Act and the ASIC Act to ASIC. ASIC has said that it will be difficult to meet these reporting requirements without maintaining a breach register. The breach register is likely to contain some sensitive and confidential information which ASIC or potential plaintiffs might want to have access to. It may also record information which would ordinarily be privileged from production in legal proceedings. But can you claim legal professional privilege in regard to a breach register?

Mandatory breach reporting and maintaining a breach register

From 1 October 2021, Australian financial services licensees who provide personal advice to retail clients; Australian credit licensees who provide mortgage broking services to consumers; and their respective representatives must comply with new breach reporting obligations as detailed in our December ASIC Regulatory update. A failure to comply can be the subject of enforcement action by ASIC. ASIC has noted, in Regulatory Guide 78: Breach reporting by AFS licensees and credit licensees, that a breach register, recording actions taken in identifying, reporting and resolving breaches, is not expressly required under relevant legislation but also said:

‘… we consider that, in practice, you will need a breach register to ensure that you have adequate arrangements in place to comply with your obligation to identify and report all reportable situations.’

ASIC has provided detailed guidance about breach registers and the type of information they should include and good compliance practices for maintaining them in Report 594: Review of selected financial services groups’ compliance with the breach reporting obligation.

Logically, a breach register would include information from, or necessary to provide instructions to, lawyers and no doubt there will be times when a party maintaining a breach register would wish to claim legal professional privilege over its contents.

Legal professional privilege claims

Whether a claim is made for legal professional privilege at common law or under statute, the rules are generally the same – you cannot be obliged to adduce evidence if that would result in the disclosure of a confidential communication made, or a confidential document prepared, for the dominant purpose of a lawyer providing legal advice to a client or for the dominant purpose of a client being provided with professional legal services in relation to anticipated or current proceedings. As will be apparent from any consideration of the nature of a breach register, it is likely to include confidential information prepared for the purpose of enabling lawyers to give advice to a client as to its rights and obligations or regarding potential legal proceedings. However the register may not to be privileged from production because it has not been prepared for the ‘dominant purpose’ referred to above. Indeed it is clear that investigations of potential legislative breaches, even those conducted by lawyers, can be liable to be produced in evidence (see for example Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2020] FCA 1277).

Preconditions for maintaining legal professional privilege

The key features for any document in regard to which legal professional privilege can be maintained are:

  1. That it is confidential; and
  2. That it is made or created for the dominant purpose of a lawyer providing legal advice to a client or for the dominant purpose of the client being provided with professional legal services relating to current or anticipated proceedings in which the client might be a party.

As has been shown in numerous cases, legal professional privilege can be lost by way of a document losing its confidential status (for example, if it is circulated too widely within an organisation) or where it cannot be shown that the ‘dominant purpose’ of the document is one of the two set out above.

Breach registers and legal professional privilege

If you seek to maintain privilege over a breach register then its ‘dominant purpose’ will need to align with what is set out above. This would involve having internal or external legal counsel make the ultimate decision about reportable breaches (presumably after other compliance personnel have reviewed the relevant documentation and undertaken an initial assessment of whether a breach needs to be reported).

Consequently, in order to make a proper claim for privilege, documentation used to establish and maintain a breach register needs to be created for the dominant purpose of ultimately obtaining legal advice about potentially reportable breaches. If all such documentation is prepared for the purpose of enabling a lawyer to sign off on a decision about whether to report a potential breach, then it will be strongly arguable that records created in the investigation process (including the breach register itself) were created for the dominant purpose of obtaining legal advice about whether a reportable breach had occurred. However, no amount of dressing a document up in a particular way, such as simply copying in a lawyer, will make it privileged – it has to satisfy the preconditions set out above. We have advised a number of clients on this issue and can provide advice regarding compliance systems, and the ways in which they can be adapted, so as to enable proper claims for legal professional privilege to be made with regard to breach registers and documents of a similar nature.

This article was written by Alistair Little, Partner.

Subscribe to HWL Ebsworth Publications and Events

HWL Ebsworth regularly publishes articles and newsletters to keep our clients up to date on the latest legal developments and what this means for your business.

To receive these updates via email, please complete the subscription form and indicate which areas of law you would like to receive information on.

Contact us