Legal professional privilege, generative AI and the workplace

The correct use of AI, particularly generative AI, is becoming critical to business success. Used well, these tools can improve efficiency, support decision-making and help employees work more quickly. Used carelessly, they can expose an organisation to serious legal, regulatory and commercial risk.

This article considers recent case law on the interaction between generative AI and legal professional privilege and examines the wider issues employers are likely to face as employees increasingly use generative AI tools in their daily work.

The use of AI and legal professional privilege

Legal professional privilege is a fundamental protection under English law. In broad terms, it allows a client to withhold certain confidential communications from disclosure to a third party or a court, provided that those communications are made for the purpose of obtaining or giving legal advice, or for the dominant purpose of litigation. The protection enables clients to seek legal advice and allows lawyers to advise fully and frankly.

However, privilege depends on confidentiality. If confidentiality is lost, privilege may be lost with it. That principle isn’t new, but the way in which generative AI tools may cause confidentiality to be lost, sometimes without the user appreciating the consequences, is.

The potential loss of privilege was recently considered in UK v Secretary of State for the Home Department [2026]. Although the case primarily concerned AI hallucinations and lawyers’ duties to the court, it also contains important observations on confidentiality and privilege. The main takeaway for employers is the tribunal’s finding that uploading confidential documents into an open-source AI tool may place that information in the public domain, breach client confidentiality and waive legal privilege.

That may also create data protection issues and require the business to consider whether notification to the Information Commissioner’s Office (ICO) is necessary. For example, if an employee uploads legal advice about an employment dispute into an unauthorised public AI tool, the employer may face an argument that confidentiality has been destroyed and privilege waived. The point isn’t that AI must never be used, but that the choice of tool may affect the legal status of the material being processed.

Open-source, public and closed AI tools

The decision refers to open-source AI tools, as opposed to closed-source AI tools. It doesn’t, however, elaborate on that distinction, leaving employers with a number of practical questions.

In practice, the risk isn’t limited to whether the underlying model is open source in the technical software sense. Employers should also consider which tools employees are permitted to use, what restrictions should apply and whether confidential or personal data can safely be entered into those tools.

The fact that an AI tool is described as ‘enterprise’, ‘private’ or ‘secure’ doesn’t automatically mean that privilege is preserved. Relevant questions include whether prompts and uploaded documents are used to train the model, whether they are accessible to the provider or third parties, where the data is stored, whether it can be deleted and whether the tool has been approved by the organisation’s IT, legal and data protection teams.

Conversely, the decision shouldn’t be read as saying that all use of generative AI is impermissible. The courts have acknowledged that AI can be a useful tool in litigation and legal practice, provided it’s used with appropriate oversight. The decision instead invites employers to consider whether the AI tools currently being used within their organisation could inadvertently compromise the company’s position in potential future litigation.

Data protection and breach risk

The privilege issue will often sit alongside data protection risk. Many employment-related documents contain employee personal data. Uploading those materials to an unauthorised public AI tool may therefore amount not only to a confidentiality issue, but also to a personal data breach.

If an employee uploads another employee’s personal data, or any other personal data, into an unauthorised generative AI tool, the organisation will need to assess the incident and consider whether it must be reported to the ICO or the individual concerned.

There’s also an emerging practical issue for employers in the form of AI-specific data subject access requests, meaning requests for disclosure of AI prompts, AI-generated drafts, AI-assisted investigation materials and audit trails. In appropriate cases, employees may seek information about how AI was used in a grievance, disciplinary process, redundancy selection, performance assessment or litigation strategy. Employers should therefore assume that AI use may later need to be explained, justified and documented.

Use of AI by employees

For employers, the most immediate risk isn’t necessarily the formal adoption of a sophisticated AI system. It’s often informal and uncontrolled use by employees. An employee may paste confidential documents into a public tool to summarise them, use open-source AI to draft a grievance response or ask a chatbot to analyse legal advice.

Each example creates a different risk. The first may compromise confidentiality and privilege. The second may affect the fairness or transparency of an internal process. The third may expose privileged advice. These are only a few examples – the potential risks are much wider.

The problem is particularly acute in employment law because workplace disputes often involve highly sensitive personal data and internal HR processes may later be scrutinised by an employment tribunal. If AI has been used in a grievance, disciplinary or redundancy process, employers may need to explain who used it, what was inputted, what was generated, whether the output was checked and whether the decision-maker exercised independent judgement.

Key takeaways

The recent case law doesn’t mean that generative AI has no place in legal or employment work. It does, however, make clear that generative AI must be used with caution, particularly where confidential, privileged or personal information is involved.

For employers, the central lesson is that AI governance is now a legal risk issue, not merely a technology issue. Employers should understand what tools their staff are using, restrict the use of public tools for sensitive material, adopt clear policies, train employees and put in place breach escalation procedures. They should also consider the litigation implications of AI use, including whether prompts, outputs and decision-making processes may later be scrutinised.

Until the law and regulatory guidance develop further, employers should take a cautious approach. They should ensure that generative AI is used as a tool to support human judgement, not as a substitute for it. They should also ensure that the convenience of AI doesn’t come at the cost of legal professional privilege, client confidentiality, data protection compliance or fairness in employment decision-making.

Looking ahead

The use of generative AI in the workplace will continue to increase. Case law and regulatory guidance are beginning to follow, but they remain at an early stage.

The current position leaves important questions unresolved, including when privilege will be treated as waived, how different AI deployment models affect confidentiality and how tribunals will approach disclosure of prompts and AI-generated materials in employment disputes.

Until there’s greater certainty, employers should take specialist advice before introducing AI policies and ensure their workforce is sufficiently trained.