Andrew ThompsonSachi Dade, the partner of retired Melbourne premiership defender Steven May, has launched Federal Court action against the Melbourne Football Club, senior coach Steven King and football boss Alan Richardson. The claim follows a February 2026 phone hook-up in which the club allegedly shared confidential and legally sensitive information with several players' partners, prompting an apology from the Demons and a management hearing scheduled for June 2026.
The case thrusts a routine AFL internal meeting into the national privacy spotlight. It also raises a broader question for Australian employees, contractors and family members: what happens when an organisation handles your personal information carelessly, even after it says sorry?
What triggered the Federal Court claim
According to a 7NEWS report published on 18 June 2026, the dispute began with a phone call between Melbourne Football Club officials and a group of players' partners in February. A whistleblower alleged in April that the club disclosed confidential and legally sensitive material during that call, causing distress behind the scenes.
The report prompted a complaint to the AFL Players' Association and, eventually, a public apology from Melbourne. The club acknowledged the meeting "caused distress and for that the club is sorry". May, who spent time on personal leave during the 2026 pre-season, announced his retirement on 1 March via Instagram, stating the decision was right for himself, his family and the team.
The matter has now moved beyond the AFL's internal processes and into the Federal Court. Dade's case is listed for a management hearing, with the club and two senior football officials named as respondents.
How Australian privacy law applies
The legal action appears to turn on whether Melbourne FC handled personal information in a way that breached the Privacy Act 1988 (Cth) or, more specifically, the Australian Privacy Principles. The Principles cover the collection, use, disclosure, security and correction of personal information by organisations with an annual turnover above $3 million, as well as some smaller entities that handle sensitive data.
The Australian Government's privacy guidance explains that an organisation must only use or disclose personal information for the purpose for which it was collected, unless an exception applies. Disclosing sensitive details to a wider group than necessary — for example, during a conference call with partners who had no legitimate need to know — can amount to an interference with privacy if reasonable steps were not taken to limit the audience.
The Notifiable Data Breaches scheme, which commenced in 2018, adds another layer. Where unauthorised access or disclosure of personal information is likely to result in serious harm, the organisation must notify affected individuals and the Office of the Australian Information Commissioner. The scheme is not limited to cyber incidents; verbal disclosure, misplaced documents and misdirected communications can all trigger it if the harm threshold is met.
You can read the official overview of these obligations on the Attorney-General's Department privacy page.
Why an apology may not be enough
Melbourne's public apology acknowledged distress, but an apology does not extinguish a potential legal claim. In privacy litigation, courts consider whether the organisation took reasonable steps to prevent the disclosure, whether it investigated properly, and whether affected individuals were informed through the correct channels.
High-profile visitors are not the only ones testing Australian privacy law. Recent cases involving public figures in Australia show that organisations can face reputational damage, regulatory scrutiny and civil liability even when no malicious intent is alleged. The key issue is whether the handling of personal information was reasonable in the circumstances.
Reality television has already shown how consent and personal information can collide when organisations collect and share private details without clear boundaries. The lesson applies equally to sporting clubs, employers and community groups: saying sorry is a start, but it does not replace compliance.
What this means for employees and partners
The Steven May privacy case is a reminder that personal information shared in employment or club settings does not lose legal protection. Partners, family members and associates who disclose details to an organisation — whether about health, finances, relationships or personal circumstances — generally retain the right to expect that information will be handled lawfully.
For employees, the case highlights three practical points:
- Know the purpose. Personal information collected for one reason should not be used for another without clear consent.
- Question the audience. If sensitive details are discussed in group settings, ask who needs to know and whether the disclosure is authorised.
- Document concerns. If you believe your information has been mishandled, keep a record of what was disclosed, when and to whom.
These steps are especially important in industries where personal and professional boundaries overlap, such as sport, entertainment and family businesses.
When to seek legal advice
If you believe your personal information has been disclosed without authorisation, a lawyer can help you understand whether the Privacy Act 1988 applies, whether you have grounds for a complaint to the OAIC, and whether court action is appropriate. Remedies can include compensation, injunctions and orders for the organisation to change its practices.
A legal professional can also review any privacy policy, employment contract or club membership terms that affect your rights. In some cases, the same facts may give rise to claims for breach of confidence, defamation or negligence, depending on what was disclosed and to whom.
Disclaimer: This article is general information only and does not constitute legal advice. If you are affected by a privacy issue, consult a qualified Australian lawyer for advice tailored to your situation.
