1.1 Who should read this practice note?
All solicitors and members of their staff offering or planning to offer semi-automated online legal services.
1.2 What is the issue?
Practices introducing semi-automated online legal services face a number of regulatory and professional conduct challenges which they should address at the design or procurement stage by undertaking comprehensive risk assessments.
2 The variety and nature of semi-automated online legal services
In recent years, there has been a growth in the ability to deliver legal services electronically and online with little or no human intervention. This raises particular risks for firms and their duties to clients, particularly in respect of their professional conduct duties. This practice note looks at these risks.
It should be stressed that this practice note does not deal with 'fully automated services' - ie those services which do not involve any review or consideration by or under the supervision of a solicitor. It is not clear how the professional conduct risks from wholly automated legal services can be mitigated. In particular, it is unclear how such services can fully ascertain the needs and circumstances of clients, particularly vulnerable clients, and thereby provide a proper standard of service.
2.1 Semi-automated online legal services
Semi-automated online legal services involve interaction between a client and a practice's online system in which some automated decision-making is undertaken on the basis of information provided by the client. Appropriate human review is built-in to ensure that key issues and risks have been taken into account.
A semi-automated legal service can be distinguished from a 'traditional' service in which there is no automated decision-making and which simply uses the internet as a communications channel.
Internet-based digital technologies can deliver many stages of a typical legal service:
- acceptance of instructions
- analysis of a client's legal problem
- construction of a complete or partially packaged legal 'solution'
- delivery of the solution
- billing and payment, and
- storage or archiving of relevant records
Fully end-to-end semi-automated online legal services, which involve an appropriate level of non-automated review by the practice, may be offered alongside semi-automated partially online services. For example, where there is an option to obtain advice by telephone or where some aspect of a matter triggers an 'off-ramp' that directs a client out of the online process.
Examples of current use of the internet by law firms to deliver legal services include:
- fixed-fee online advice services in areas ranging from family law to contract law
- automated assembly of legal documents, including wills
- online applications for grant of probate
- uncontested online divorces
- debt recovery.
As practices and clients become more familiar with semi-automated online legal services, further innovation in their range and nature is likely.
3 An overview of semi-automated online legal services
3.1 The advantages and disadvantages
Introducing semi-automated online legal services may have significant advantages and disadvantages for both your practice and your clients. You may wish to evaluate these in the context of your current operations and future plans. In particular, you may wish to consider whether or not there are equality and diversity implications for the services you offer your clients.
3.2 The regulatory and professional conduct environment
The principles in the SRA Code of Conduct apply to your provision of legal services in general and do not distinguish between conventional legal services and semi-automated online legal services. Your semi-automated online legal services must achieve the same minimum professional standards as your conventional services and, in order to ensure that they do so, you will need to decide which aspects of the service can be automated and which cannot.
You must also satisfy generally applicable regulatory requirements, for example, in relation to the Data Protection Act 1998 and the Equality Act 2010.
3.3 Compliance by design
As with most IT-related projects, it is usually better to address professional and regulatory compliance early in the design or evaluation of your online legal service.
Outcome 7.2 is relevant to designing or evaluating online legal services. This requires that you have effective systems and controls in place to comply with all the applicable principles, rules and outcomes and other requirements of the SRA Handbook.
3.4 Testing and certification
You must satisfy yourself that the information or advice provided by your semi-automated online service is up to date and reflects appropriate decision-making logic.
This is also the case where your semi-automated online service is designed or maintained by a third party.
You should put your own monitoring and review arrangements in place on the basis of a risk assessment (see below). At present there are no recognised independent certifications for the automated component of your semi-automated service on which you can rely. You should therefore have the relevant legal expertise in order to provide a semi-automated online legal service in a particular practice area.
4 Managing the risks of semi-automated online legal services
Semi-automated online legal services are unfamiliar to many practices. The development of appropriate management and supervision arrangements, including effective systems and controls to ensure compliance with all the principles, rules and outcomes in the SRA Handbook, is a key risk.
4.1 Risk identification, assessment and evaluation
The principles and the code require compliance risks to be managed. Principle 8 requires you to run your business or carry out your role in the business effectively and in accordance with proper governance and sound financial and risk management principles. Relevant outcomes include 7.3: you identify, monitor and manage risks to compliance with all the principles, rules and outcomes and other requirements of the andbook, if applicable to you, and take steps to address issues identified.
Risk assessment involves the identification, categorisation and, as far as possible, mitigation of risk. Some residual risk will remain and may exceed the level you are willing to accept.
Effective risk management is a positive obligation placed on firms, owners and managers, and Compliance Officers for Legal Practice (COLPs)/Compliance Officers for Finance and Administration (COFAs). You should have systems to monitor and manage risk continuously.
4.2 Risk and innovation
The code is intended to offer flexibility in the achievement of outcomes. The SRA recognises and actively encourages this, stating within the preamble to the code that:
'We recognise that there may be other ways of achieving the outcomes. Where you have chosen a different method from those we have described as indicative behaviours, we might require you to demonstrate how you have nevertheless achieved the outcome. We encourage firms to consider how they can best achieve the outcomes, taking into account the nature of the firm, the particular circumstances of the matter and, crucially, the needs of their particular clients.'
The SRA has published advice (PDF) for firms seeking to make the best use of information technology (IT) in the way that they deliver their services.
5 Managing specific risks in semi-automated online legal services
Certain characteristics of semi-automated online legal services may heighten the risk of non-compliance with particular requirements in the code. They include:
- dealing with clients remotely (understanding your client), and
- dealing with clients' legal problems through standardised interfaces (the client's legal issues).
These are considered below.
Annex 1 briefly outlines dealing with clients through the internet and the web (electronic systems) and running a business that involves online legal services (managing your business).
5.1 Understanding your client
If your semi-automated online legal service does not involve any direct personal interaction with a client it may be impossible to assess a number of matters, including your client's vulnerability, the possibility of undue influence and impersonation, and their full needs and circumstances. However, where there is some degree of interaction, your processes and procedures may be able to address such issues. How they do so should be documented.
5.1.1 Vulnerable clients
'Vulnerable client' is not defined in the code and it is probably not a fixed category. Individuals can be temporarily vulnerable for physical, social or psychological reasons - for example, following an accident, arrest, bereavement or marriage breakdown. They may also suffer enduring physical or social vulnerability - for example, severe cognitive impairment or long-term homelessness. Vulnerability is therefore multi-faceted and may affect any client using an online legal service.
The SRA has confirmed that vulnerable clients will be a supervisory priority.
Vulnerability is relevant to at least two of the mandatory principles:
- Principle 4: you must act in the best interests of each client, and
- Principle 5: you must provide a proper standard of service to your clients.
There are also specific references to vulnerability in the code.
(i) Under systems for dealing with conflicts of interests:
Outcome 3.3 - your systems and controls for identifying client conflicts are appropriate to the size and complexity of the firm and the nature of the work undertaken, and enable you to assess all relevant circumstances, including whether:
(e) any client is vulnerable.
(ii) Under client care:
Indicative behaviour (IB) 1.6 - having proper regard to your client's mental capacity or other vulnerability, such as incapacity or duress
IB 1.22 - having written complaints procedure which...
(c) is responsive to the needs of individual clients, especially those who are vulnerable.
Other outcomes - providing services in a manner that protects clients interests, ensuring clients can make informed decisions, and taking account of their needs and circumstances (1.12), (1.2) and (1.5) - underline the importance of establishing systems that allow you to identify vulnerability in any case you handle.
5.1.2 Undue influence
Undue influence and duress are related to the topic of client vulnerability. How is the possibility of undue influence or duress to be identified when you are dealing with a client remotely through a semi-automated online legal service?
Undue influence is discussed in chapter 1 of the code in the context of client care. Negative IB 1.28 involves acting for a client when there are reasonable grounds for believing that the instructions are affected by duress or undue influence without satisfying yourself that they represent the client's wishes.
You must consider the question of undue influence as part of your assessment of prospective semi-automated online services. The nature of the service, the scope for undue influence, and the characteristics (including potential vulnerability) of your client-base will be relevant. You may be able to identify high-risk categories of legal services which should not be delivered through a semi-automated online legal service or whose design should differ from the design of other, less risky, services.
5.2 The client's legal issues
One risk that arises in the case of a semi-automated online legal service is that a client's legal problem is incorrectly or incompletely diagnosed. This can arise where a client chooses a semi-automated online service without discussing with a solicitor whether or not it is appropriate. This is a matter you should consider in designing their non-automated review processes. You should consider formation and limitation of retainers, as well as client care obligations.
5.2.1 Forming and limiting of retainers
You can seek to limit the scope of your retainer in relation to services, deliverables or liability. For example, you can provide online legal services on a non-advised basis (eg providing precedents, lodging client-prepared papers at court). Typically, this will be in return for a smaller fee and/or for more sophisticated clients.
A solicitor, or practice, may not contract out of their regulatory or ethical responsibilities under the code. (It should also be noted that a solicitor will be unable to limit the retainer in respect of many matters, eg the advice not being accurate or suitable for the client's circumstances. In addition, such restrictions may constitute unfair contractual terms or undermine the ethical principles of the code.)
You must give as complete information as possible prior to agreeing to provide a service, but clients with sufficient knowledge and experience can demand a specific service only.
Your duties under the code may be triggered as soon as preliminary advice is provided (a recent example is the Court of Appeal case of Padden v Bevan Ashford  EWCA Civ 1616, in which Lord Neuberger emphasised the fact that, just because advice was free, it did not relieve the firm from the responsibility of giving full advice and did not prevent the firm from being subject to the 'core minimum' duties set out by Lord Nicholls in Royal Bank of Scotland plc v Etridge  UKHL 44).
Retainers for online legal services are likely to be concluded online. This means there is no opportunity to explain or negotiate the provisions in a retainer. You should ensure that audit trails in your online service evidence the valid establishment of a contract or retainer and its precise scope.
5.2.2 Client care
Client care (chapter 1 of the code) focuses on providing proper standards of service that take into account the individual circumstances of clients.
Chapter 1 has several outcomes that require careful consideration by p
Outcome 1.2 - you must provide services to your clients in a manner which protects their interests in their matter, subject to the proper administration of justice.
The interests of the client will be different, depending on the matter in question and what sort of service is being provided. You should consider whether or not it is appropriate to deliver a particular semi-automated online legal service. Sometimes face-to-face advice or video-conferencing will be necessary as part of your non-automated review process.
Outcome 1.4 - you have the resources, skills and procedures to carry out your clients' instructions.
You should ensure that you can provide continuity of service and have sufficient capacity to satisfy demand. Where your technology is provided by a third-party supplier, you remain responsible for the performance of the tool and for ensuring that it reflects changes in the code, the law and professional legal practice.
Outcome 1.5 - you must ensure that the service you provide to clients is competent, delivered in a timely manner and takes into account your clients' needs and circumstances.
You and your client must be clear about what service is being provided and the scope of the retainer.
Without existing knowledge of a client, identifying their needs and circumstances remotely using computer software may be a significant risk. Steps to mitigate this risk should be part of the design of the automated component of your online service. 'Off-ramps' - barriers to proceeding with the automated component of your semi-automated online service and directions to alternative forms of legal advice or assistance - should be considered.
Outcome 1.12 - you must ensure that clients are in a position to make informed decisions about the services they need, how their matter will be handled and the options available to them.
Practices should provide clients with clearly written, relevant and prominently displayed information and guidance to inform their decisions. Whether a 'tick box' mechanism is a sufficient/acceptable form of consent has not been tested in the UK courts.
5.2.3 Reserved legal activities
In thinking about appropriate human review for your semi-automated service, it is essential that you take particular care if you are offering a reserved legal activity.
There are six reserved legal activities under the Legal Services Act 2007. Not all will be relevant to the provision of semi-automated legal services. They are:
- the exercise of rights of audience (ie appearing as an advocate before a court)
- the conduct of litigation (ie issuing proceedings before a court and commencing, prosecuting or defending those proceedings)
- reserved instrument activities (ie dealing with the transfer of land or property under specific legal provisions)
- probate activities (ie handling probate matters for clients)
- notarial activities (ie work governed by the Public Notaries Act 1801), and
- the administration of oaths (ie taking oaths, swearing affidavits, etc)
Anyone providing human review for a semi-automated reserved activity must be an authorised person for the service or their involvement will need to be such as to fall within the exemptions in Schedule 3 of the Legal Services Act 2007. Practices will be familiar with these provisions but should ensure that they are considered in the context of the design and delivery of semi-automated services.
6 Further information
The appendix to this practice note summarises some of the main generic compliance issues relevant to online legal services.
6.2 Law Society practice notes
6.3 Other resources
Annex 1: Electronic media - managing an online business
One aspect of achieving regulatory and professional conduct compliance in your provision of online legal services is addressing the generic compliance issues associated with using electronic media. These include accessibility, data protection, information security and business continuity.
Outcome 2.2 requires you to provide services to clients in a way that respects diversity.
Your practice must provide an appropriate level of service to all clients. You should consider expressing a clear commitment to equality and diversity. This applies to practices of all sizes and it applies to the provision of online, as well as conventional legal services.
Your practice should ensure that its website is WCAG2.0 compliant.
You must ensure that your practice meets its legal obligations regarding minimum accessibility standards (section 20 (6) in Equality Act 2010).
You should review your online legal services from the perspective of equality and diversity. The Law Society's practice note Equality and diversity requirements: SRA Handbook provides further information.
Outcome (7.5) requires that you comply with legislation applicable to your business, including anti-money laundering and data protection legislation.
Online legal services should therefore address data protection compliance and you should apply the high-level approach, as set out in the Law Society's practice note on data protection, to all your services. Data protection compliance is, however, a minimum, and treating data protection as a bolt-on or a tick-box exercise is potentially a missed opportunity. You should also consider how your online legal services align with the practice's overall privacy and data protection policies.
The development or evaluation of new semi-automated online legal services is an opportunity to embed compliance as part of system design. This approach, which has been promoted by the Information Commissioner, is often called privacy by design.
The main principle underlying privacy by design is to think about privacy/data protection at each stage of a system's lifecycle, starting with the initial business case, through more detailed design and development, testing, deployment, subsequent reviews and enhancements and, eventually, decommissioning. Where you are evaluating an existing system rather than designing a new system, analysis of how clients' data are handled throughout their lifecycle - and how that matches your existing data handling procedures - should be undertaken.
Privacy by design (PDF), a 2008 report for the Information Commissioner's Office (ICO), pointed out that risk assessment approaches 'often fail to manage privacy needs throughout the system's lifecycle' and that 'many bespoke and off-the-shelf systems are still built without proper or innovative privacy controls'. It also advocates undertaking privacy impact assessments (guidance for which is available on the ICO's website), and the value of collecting as little personal data as is necessary (data minimisation). It critiques the failure of organisations to demand privacy functionality from systems vendors and not valuing it highly when assessing products.
Practices remain responsible for ensuring data protection compliance when procuring systems from third parties. This includes responsibility for outsourced services including cloud-based IT. Practices planning to deploy online legal services on a cloud computing platform should consult the Information Commissioner's Guidance on the use of cloud computing (PDF).
You should be aware of proposals to make privacy by design obligatory. Article 23 of the EU's draft proposal for a General Data Protection Regulation (to replace the current Data Protection Directive 95/46/EC) proposes data protection by design and by default. This encompasses a requirement for data controllers to implement appropriate technical and organisational measures and procedures to meet the requirements of the regulation and protect the rights of data subjects. It also includes a variety of data minimisation mechanisms; empowers the European Commission to adopt delegated acts setting out design requirements across sectors, products and services; and also empowers it to lay down technical standards.
The key to effective cybersecurity is a security-management system that addresses security risk in the round - that is, personnel and physical security, as well as information and cybersecurity. Practices should have regard to the advice set out in the Law Society's Information security practice note.
Practices should analyse prospective online legal services as part of their overall approach to security. Additional cybersecurity controls will, of course, be needed to cope with internet-based vulnerabilities and threats. The web is an open forum, and the fact that online legal services are available much more widely means that solicitors must pay special attention to data security. Although they may bring practices and their clients together, sites and tools provided by practices may be targeted by hackers (in any part of the world) who seek to access sensitive information. In addition to the usual mechanisms, the following controls may therefore be relevant:
- penetration testing and vulnerability scanning of websites
- the use of secure protocols for websites (ie HTTPS)
- deparation (physical or logical) and encryption of databases
- processes for opening and closing user and client accounts
- assessment of applications and their security (eg firewalls), and
- user authentication
Practices should ensure that they obtain appropriate expert advice from properly accredited and experienced information security professionals about the security of online legal systems. You may wish to consider acquiring a recognised security certification such as Cyber Essentials or ISO 27001, or making this a requirement for any systems you procure.
IB 7.3 involves 'identifying and monitoring financial, operational and business continuity risks, including complaints, credit risks and exposure, claims under legislation relating to matters, such as data protection, IT failures and abuses, and damage to offices'.
As with data protection and security, online legal services will add an extra dimension to your business continuity plans but should generally be approached as part of your overall business continuity management (BCM). The Law Society's Business continuity practice note points out that BCM is not just about IT systems recovery and that the relevant British Standard, BS 25999, describes it as a management process. This is in line with the approach adopted by chapter 7 of the code, which deals with business continuity as part of your management of the practice.
Managing an online business
Effective data protection, security and BCM are essentially management issues in relation to both conventional and semi-automated online legal services. There are some further management issues that you should consider when implementing online legal services.
The code contains a number of requirements on the provision and content of key documentation and notices. You should ensure that they meet these requirements in any online legal services medium they use. You should similarly keep copies and records of version changes, and consider the introduction of audit trails and logs to monitor how clients use online legal services.
As has been noted above, solicitors may not contract out of their regulatory or ethical responsibilities under the code. As such, all the outcomes in chapter 1 in relation to fees must be met. This includes providing accurate information on fees and disbursements, the preparation of invoices and the collection of fees.
Annex 2: Semi-automated online legal services checklist
1. Have you analysed the advantages and disadvantages of introducing semi-automated online legal services from your own perspective and your clients' perspective?
2. Are you planning to address professional and regulatory compliance from the outset of your online legal services project, and doing so with a 'built-in', rather than 'bolt-on', view to compliance?
3. Do you have processes to identify, monitor and manage the risks of introducing and then running semi-automated online legal services?
4. Do you have the relevant legal expertise to design or evaluate the correctness (including the logic) of your proposed service?
5. If your service will not demonstrate a relevant indicative behaviour, can you demonstrate how it nevertheless meets the associated outcome? Have you documented this?
6. What mechanisms do you have in place to deal with vulnerable clients or undue influence?
7. Is the scope of your retainer clearly set out? Do you have audit trails that will evidence the client's agreement?
8. Have you identified particular services/client groups for which semi-automated online provision is not appropriate?
9. Do you have the necessary resources, skills and procedures to deliver online legal services? Have you ensured that your third-party suppliers also have the necessary capacity?
10. Have you incorporated appropriate 'off-ramps' into your online service to direct clients towards alternative forms of legal advice or assistance?
11. Have you addressed the data protection, information security, business continuity and accessibility implications of your online service?
12. Have you considered the insurance, documentary and outsourcing implications, including notifying your professional indemnity insurer that your are undertaking this type of work?