How to keep your internal investigations private – legal privilege and the risk of disclosure

There are many reasons a business may need to conduct an internal investigation. Many of those reasons will bring with them a risk of enforcement action by an external regulator – up to and including a criminal prosecution. Common examples include:

• A Health and Safety Executive investigation following a workplace injury or fatality;
• An Environment Agency investigation following a pollution incident;
• An ICO investigation following a data breach; or
• A Serious Fraud Office investigation arising from internal fraud, bribery or corruption.

These investigations bring tangible benefits. They are a crucial tool in working out what went wrong, what management systems need to be changed, and therefore preventing future incidents. However, the difficulty is that in some cases a business can be required to disclose these investigations to regulators, who in turn will decide what enforcement action to take.

This creates a real tension between the need to properly investigate, but to also protect your legal rights and ability to defend yourself in any future enforcement action.

The solution to that tension is legal privilege – any privileged document will be exempt from disclosure, even where special statutory powers are available to regulators. The crucial legal question for in house lawyer therefore is – will my internal investigation be privileged?

Until recently, the law on privilege looked as though it may change dramatically. In the recent case of SFO v ENRC, the judgment at first instance would have considerably reduced the chances of an internal investigation being privileged. The Court of Appeal has now overturned that position, and the key points to consider in this context are:

• Litigation (which includes criminal proceedings) must be at least contemplated; and
• The investigation must for the sole or dominant purpose of dealing with that litigation.

Taking legal advice in the immediate aftermath of an incident is a key step to demonstrating those points. It allows for the early identification of what litigation could arise from the facts, and for investigation to take place in that context. This will considerably increase the likelihood that documents can be privileged, and protected.

It is worth bearing in mind that if a document or report starts its existence as “not-privileged” (or loses its privilege during the course of an investigation) it is effectively impossible to recover. The important practical question for businesses and their in-house lawyers therefore, is whether their crisis management procedures are consistent with establishing privilege in the immediate aftermath of an incident, when there is often limited opportunity to start planning how an investigation will be managed, and who will take the lead.

Businesses should think about their crisis management plans, and ask themselves the following questions:

• Is it clear that legal proceedings have been contemplated?
  • Has the basis for that contemplation been properly expressed and recorded for evidential purposes?
• Have external lawyers been appointed to preserve legal advice privilege when dealing with the most sensitive issues?
• Are the individuals to be interviewed as part of the investigation authorised to seek legal advice?
• Have the key elements to establish and preserve legal privilege been integrated into your procedures for investigation and incident response?
• How will privileged documents be protected?
  • Is it clear how communications with insurers, regulators and the press will be managed?
  • Is there a clear process for how evidence will be stored and findings recorded?

If you would like further information on crisis management systems, internal investigation and other ways to prepare for serious incidents, please contact Ben Derrington in Ashfords’ Business Risk and Regulation team on 0117 321 8014.