Using lawtech in your practice
Overview
Lawtech can also have a role in:
- tackling unmet legal demand
- promoting legal education
- early access to legal advice
It does, however, raise particular risks for firms and their duties to clients, particularly in respect of their professional conduct duties. This practice note looks at these risks.
Coronavirus
This practice note is an updated version of the 2016 practice note on semi-automated legal services and reflects specific issues related to the use of lawtech by firms during lockdown when staff are working from home.
It considers issues around legacy systems, procurement and security as well as the use of technology to innovate in the digital delivery of legal services while fee earners and clients are working from home for extended periods.
We’ll update this page as the effects of the current situation become clearer to ensure this advice is current and reflects lessons learned.
This practice note is the Law Society’s view of good practice in this area, and is not legal advice. For more information see the legal status.
Introduction
Glossary of terms specific to this practice note
- Artificial intelligence: the theory and development of computer systems able to perform tasks normally requiring human intelligence, such as visual perception, speech recognition, decision-making
- Chatbot: a software application used to conduct an online chat conversation via text or text-to-speech, in lieu of providing direct contact with a human agent
- Lawtech: technologies that aim to support, supplement or replace traditional methods for delivering legal services, or that improve the way the justice system operates
- Machine learning: a subset of artificial intelligence that sees computer algorithms improve automatically from experience
- GDPR: General Data Protection Regulation that came into effect across the European Economic area on 25 May 2018 and was incorporated into UK law by the Data Protection Act 2018
Who should read this practice note?
All solicitors and members of their staff offering or planning to offer online legal services employing lawtech products.What is the issue?
Practices introducing legal services employing lawtech face a number of regulatory and professional conduct challenges which they should address at the design or procurement stage by undertaking comprehensive risk assessments.
There have also been profound changes to the ways in which legal services are delivered since we published our practice note on semi-automated legal services in 2016. These relate not only to the products and services in the marketplace which employ new technologies, but to the advent of new regulations enabling solicitors to offer services outside of traditional legal entity models.
Changes to data protection law – the General Data Protection Regulation (GDPR) and Data Protection Act 2018 – have also taken effect since we produced our previous note and need to be taken into account.
In referring to ‘semi-automated’ legal services, the title of the 2016 practice note recognised the scope for the emergence of more fully, or wholly, automated legal products and services.
These services do not involve any review or consideration by, and aren’t under the supervision of, a solicitor pledged to review the implications of these for the duties of solicitors if and when they emerged.
As before, our view is that it’s unclear how the professional conduct risks from wholly automated legal services might be mitigated. While much has changed in the legal product and services landscape over the last four years, we’re yet to see such products come to market. We’ll continue to keep this under review and produce further guidance for the profession as required.
The variety, nature and extent of lawtech products and services
In recent years there has been a growth in the ability to deliver legal services electronically and online using emerging technologies.
In the UK lawtech remains focused on efficiencies and automating tasks rather than delivering new types of law. The business-to-business market for lawtech is more mature than the business-to-consumer market. The most established products focus on collaboration tools, document and IP management, and e-billing solutions.
Emerging growth areas for lawtech include legal analytics, project management, governance and regulatory compliance, and contract management.
The Legal Geek startup map shows there’s been burgeoning growth in the number of lawtech companies in Europe in recent years which has, to date, not been matched by the rate of adoption in the legal services sector in the UK.
This is likely to change as the sector appears poised for a period of consolidation and later stage funding. The Law Society continues to work with technologists, academics, and government to influence the emergence of more tailored products that meet the needs of our members.
Lawtech delivery of client services
Online legal services involve interaction between a client and a practice's online system in which some automated decision-making is undertaken on the basis of information provided by the client. Appropriate human review is built-in to ensure that key issues and risks are taken into account.
Automated legal services differ from a traditional service in which there is no automated decision-making and which simply uses the internet as a communications channel.
Digital technology can provide many stages of a typical legal service including (but not limited to):
- client onboarding, including regulatory compliance checks
- acceptance of instructions
- analysis of a client's legal problem
- construction of a complete or partially packaged legal solution
- delivery of the solution
- billing and payment, and
- storage or archiving of relevant records
- secure communication with clients, including document sharing and video calling
Examples of current use of technology by law firms to deliver legal services include:
- the use of chatbots to provide generic legal information (with options for direct engagement with legal practitioners)
- fixed-fee online advice services in legal practice areas ranging from family law to contract law
- automated assembly of legal documents, including wills
- online applications for grant of probate
- uncontested online divorces
- debt recovery
- document review and disclosure
As practices and clients become more familiar with online legal services, further innovation in their range and nature is likely.
Lawtech use in firms
Machine learning capabilities are already allowing computers to recognise patterns in large data sets, reducing the need for laborious legal research. As well as these efficiency gains, lawtech is an increasingly important part of law firm management, and the work of in-house teams and the not-for-profit advice sector. However, technology is used in different ways.
Private practice
Research suggests the technology investment strategies of the top 50 law firms are increasingly focused on key infrastructure, with upgrades to:
- practice management
- client relationship management
- flexible and remote working by fee earners
- HR systems
Priorities are document review, demonstrating compliance with data protection requirements and cybersecurity are priorities.
Pressure from corporate clients and their general counsel is driving lawtech adoption, particularly where it’s providing more advanced billing solutions that corporate clients expect, while other professional sectors, such as banking, are driving uptake of machine learning solutions by firms.
In-house
In-house teams are using lawtech for efficiency gains and to meet business needs. They may, however, need to overcome internal challenges to lawtech adoption relating to traditional ideas about functional relationships in organisations. They’re under greater pressure to produce a verifiable business case justifying the expenditure on lawtech often to a greater degree than their colleagues in private practice.
Not for profit
Lawtech products are used to help with unmet legal needs and increase access to justice. Increasingly, lawtech is used to develop:
- frontline services for legal education
- information and advice through chatbots
- legal aid calculators
- legal triage tools
Lawtech’s role in unmet legal needs
Research by the Legal Services Board shows that over half of adults in England and Wales faced a legal problem in the last three years, yet only one in three sought expert advice or assistance.
This reticence is replicated by evidence showing that 63% of people don’t believe professional legal advice is affordable for ‘ordinary people’. Others put a figure as high as 80% for the number of people and small businesses that fail to get legal advice when they need it.
See our Lawtech Adoption Research report
The size of the ‘latent legal’ market implied by these numbers is potentially huge, and new methods of providing technology-based legal services to consumers are already happening. Some of the knowledge underpinning these methods is being delivered by lawyers, and successful legal businesses in future are likely to be those whose business planning and delivery models are best adapted to the use of technology to address unmet need and maximise market share.
As well as its role in providing quality legal services at affordable prices for the mass market, lawtech also has the potential to transform access to justice, ensuring that legal services are available to those with limited ability to pay.
We have investigated the extent to which technology is a key to unlocking access to justice in our Technology, Access to Justice and the Rule of Law report which found that, while technology is not a silver bullet to making the justice and legal systems more accessible, it certainly has a role.
The report has good examples of the application of technology by organisations to meet legal needs, and we’re working with academics and organisations to promote best practice in innovation and legal training.
Lawtech: things to consider
The challenges of successfully implementing a lawtech delivery project should not be underestimated. You’ll want to evaluate these in the context of your current operations and future plans.
Our Introduction to Lawtech report can help guide you through some of the challenges involved. In particular, you may wish to consider whether there are equality and diversity implications for the services you offer your clients, and the impacts on vulnerable clients.
The regulatory and professional conduct environment
SRA regulation is based on responsive and responsible conduct, and not on the tools firms use to achieve them. The principles of the SRA Standard and Regulations apply to your provision of legal services in general and do not distinguish between conventional legal services and services provided using lawtech products or services.
Delivery of legal services via lawtech must achieve the same minimum professional standards as your conventional services and, in order to ensure that they do so, you will need to decide which aspects of the service can be automated and which cannot.
The SRA’s approach to regulating technology is set out in its report Technology and legal services.
You must also satisfy generally applicable regulatory requirements, for example, in relation to the GDPR and Data Protection Act 2018 and the Equality Act 2010.
Data protection by design and default
As with most IT-related projects, it’s usually better to address professional and regulatory compliance early in the design or evaluation of your online legal service. It has always been good practice to carry out a privacy by design approach in project planning and the GDPR has made this a legal requirement under the term ‘data protection by design and by default’.
Additionally, where you propose using new technologies for data processing, and this is likely to result in high risk to the rights and freedoms of natural persons, you’re required to carry out a Data Protection Impact Assessment (DPIA).
The types of activities requiring a DPIA are set out in Article 35 of the GDPR, and the Information Commissioner’s Office (ICO) has published a list of the types of processing it considers high risk. Importantly, if a DPIA, is required, it must take place prior to the processing it assesses.
Your firm should have already considered the appointment of a Data Protection Officer (DPO) as part of its GDPR compliance. While most law firms will not be required to appoint a DPO under the GDPR, firms should evaluate their processing of personal data against the criteria for mandatory appointment. The ICO website has information on the appointment of DPOs.
If firms decide not to appoint a DPO, they should consider appointing a suitably senior and qualified person with the necessary resources to lead their data compliance function, and to involve them in any DPIA process.
There’s more information and guidance in our GDPR Guide for Law Firms
You should also consider the free online tool designed by the French Data Protection Regulation that can walk you through the steps required to undertake a DPIA.
Price transparency
SRA transparency rules require solicitors and firms practising in particular legal areas to display prices and service information. There are requirements covering the format and clarity as well as the amount and nature of the information to be provided, and you’ll want to pay particular attention to these requirements in providing services to clients that employ lawtech systems and services.ePrivacy Regulation
On 4 October 2019, the Presidency of the European Council published its revised text of the Proposal for a Regulation Concerning the Respect for Private Life and the Protection of Personal Data in Electronic Communications (the draft ePrivacy Regulation). It’s intended to replace the existing Privacy and Electronic Communications Regulations (PECR) which set specific rules on privacy rights in relation to electronic communications on:
- marketing calls
- emails, texts and faxes
- cookies (and similar technologies)
- keeping communications services secure
- customer privacy regarding traffic and location data, itemised billing, line identification, and directory listings
For now, the PECR remains in force, but you may wish to check the ICO website for developments
Testing and quality assurance
You should test systems employing lawtech products and services in the same way as supervisors monitor and assess the work of trainees. This should be done regularly to ensure your firm is maintaining the quality and ethical standards required. It should incorporate a structured quality assurance programme for the systems you buy or use.
Regulators will need to see evidence that you’re undertaking regular testing and quality assurance in order to demonstrate compliance. Consequently, records of the outcomes of all testing should be maintained. If testing reveals any risks, these should be added to the firm’s risk register and then reduced over time as a result of regular risk review meetings and actions.
All quality assurance, either internally or from external accessors, should be recorded and all recommended actions should be carried out without any undue delay.
Responsibility for meeting your regulatory duties cannot be outsourced to separate technology providers. The SRA has made clear in sections 2.1, 2.3 and 2.5 of its Code of Conduct for solicitors that where flaws or errors exist in systems acquired from third parties, it’s unlikely to take regulatory action where firms have done everything they reasonably could to assure themselves that the system was appropriate and to prevent issues arising.
You should consider organising the regular, preferably annual, penetration testing of any lawtech system by an external accessor with suitable technical expertise. Any pen test should be accompanied by a written report detailing the outcome of a test and identifying any weaknesses or failures that need to be addressed. Any perceived failings should be addressed in a reasonable and proportionate manner depending on the severity of the risk identified and the reasonable resources available to manage that risk.
You should also consider the assessment of your organisation's preparedness in responding to a cyberattack that could lead to a data protection breach on our lawtech system, as highlighted in the Firm Code of Conduct (SRA Code of Conduct for Firms). The National Cyber Security Centre (NCSC) has a range of exercises that can be followed by teams and boards that are responsible for the identification and management of such risks, such as their Exercise In A Box. These tools are free of charge are used regularly to demonstrate compliance with both the GDPR and the SRA’s regulatory objectives.
Managing the risks of legal services utilising lawtech products and services
Lawtech is still unfamiliar to many practices. While the SRA does not intend to impose specific rules on its use, including systems which employ artificial intelligence (AI) or machine learning, the SRA Principles and Codes of Conduct still apply to firms using them.Risk identification, assessment and evaluation
The Principles and the Codes (Combined Solicitor and Firm Codes) require compliance risks to be managed. In considering the use of lawtech systems or tools you should pay particular attention to:
- Principle 2: to act in a way that upholds public trust and confidence in the solicitor profession and in legal services provided by authorised persons
- Principle 6: to act in a way that encourages equality, diversity and inclusion
- Principle 7: to act in the best interests of each client
Risk assessment involves the identification, categorisation and, as far as possible, mitigation of risk. Some risk will remain and may exceed the level you’re willing to accept.
Effective risk management is a positive obligation placed on:
- firms
- owners and managers
- Compliance Officers for Legal Practice (COLPs)
- Compliance Officers for Finance and Administration (COFAs)
You should have systems to monitor and manage risk continuously.
Your firm should have a risk register which should include any risks identified through the operation of any lawtech products and services.
Once identified, steps should be taken over time with due regard to the level of severity of that risk to amend or remove these risks through organisational or technical measures. You should keep a record of both identifying these risks and how you manage them to show compliance with regulatory objectives. These records may include copies of the risk register as updated over time as well as the minutes of periodical risk review meetings where risks have been identified and managed.
Where applicable, the minutes of partnership meetings, board meetings and wider compliance meetings may also contain evidence that demonstrates compliance with the need to demonstrate the management of these risks.
You should also carry out thorough due diligence on any technology partner, product or supplier.
The legal technology procurement checklist in the annexes to this note has guidance on questions that need to be asked regarding security, privacy and data protection compliance.
This should be done for all technology used by your firm, including communications technology such as digital phones, voicemail provision, video conferencing and instant messaging.
Free systems such Dropbox, Google Hangouts, LinkedIn Messenger and Facebook Messenger should not be used for business purposes. Should a client contact you on LinkedIn or engage in sending you messages on LinkedIn, get the conversation onto your secure business email as soon as possible.
The NCSC does not recommend the use of WhatsApp for business related activity. It can be fine for informal chats and social plans discussed by colleagues in a team, but it should not be used for contacting clients or for discussing client related business activity.
Risk and innovation
As noted above, SRA regulation is based on responsible and responsive conduct, rather than the tools used to meet them. This means that the SRA Principles and Codes still apply despite the absence of specific rules on the use of technology.
SRA Innovate is a programme to support legal businesses in managing the risks associated with innovation. This “regulatory sandbox” functions as a safe space for firms to test novel ideas and the SRA guarantees that no enforcement action will be taken if innovations bring firms into technical breach of its rules.
Managing specific risks in lawtech
Certain characteristics of lawtech systems and services may heighten the risk of non-compliance with particular requirements in the Codes. They include:
- dealing with clients remotely (understanding your client)
- dealing with clients' legal problems through standardised interfaces (the client's legal issues)
These are considered below.
Annex 1 briefly outlines dealing with clients through the internet and the web (electronic systems) and running a business that involves online legal services (managing your business).
Understanding your client
If your semi-automated online legal service does not involve any direct personal interaction with a client, it may be impossible to assess matters, including:
- your client's vulnerability
- the possibility of undue influence and impersonation
- their full needs and circumstances
However, where there is some degree of interaction, your processes and procedures may be able to address such issues. How they do so should be documented.
Vulnerable clients
'Vulnerable client' is not defined in the codes and is probably not a fixed category. However, section 3.4 of the SRA Code of Conduct for Solicitors, RELs and RFLs states that you must “consider and take account of your clients attributes, needs and circumstances”.
In the Firm Code of Conduct at 4.2 you must “ensure that the service you provide to clients is competent and delivered in a timely manner and takes accounts of your clients attributes, needs and circumstance”.
Individuals can be temporarily vulnerable for physical, social or psychological reasons – for example, following an accident, arrest, bereavement or marriage breakdown. They may also suffer enduring physical or social vulnerability – for example, severe cognitive impairment or long-term homelessness. Vulnerability is therefore multi-faceted and may affect any client using an online legal service.
It’s important to adopt a broad definition within your organisation as to who could constitute a vulnerable client. They could be someone suffering from a physical disability which is non-visual that requires a significant amount of daily care and support or could be recovering from a serious or life-threatening illness.
Vulnerable clients may be heavily dependent on carers such as family members or close friends. It’s also important to take a holistic view of the potential vulnerability of a client. Decisions should not be made solely on the basis of income or social status that an individual could not be perceived as being in a vulnerable situation.
The SRA has confirmed that vulnerable clients are a supervisory priority.
Vulnerability is relevant to at least two of the mandatory principles:
- Principle 6: you must act in a way that encourages equality, diversity and inclusion
- Principle 7: you must act in the best interests of each client
Undue influence
Undue influence and duress are related to client vulnerability. How is the possibility of undue influence or duress to be identified when you’re dealing with a client remotely through a semi-automated online legal service?
You must consider the question of undue influence as part of your assessment of prospective semi-automated online services. The nature of the service, the scope for undue influence, and the characteristics (including potential vulnerability) of your client-base will be relevant. You may be able to identify high-risk categories of legal services which should not be delivered through a semi-automated online legal service or whose design should differ from the design of other, less risky, services.
It may be necessary to incorporate a risk assessment into the initial client onboarding process to identify whether the client could be under duress from another party. This could be more than just emotional pressure, it could be from:
- financial pressure
- the threat of debt
- withdrawal of a financial benefit or support
The assessment should be as thorough for online legal services as it would be for clients you meet in person.
The client's legal issues
One risk of providing a semi-automated online legal service is that a client's legal problem is incorrectly or incompletely diagnosed. This can arise where a client chooses a semi-automated online service without discussing with a solicitor whether or not it’s appropriate. You should consider this when designing their non-automated review processes. You should also take into account formation and limitation of retainers, as well as client care obligations.
Forming and limiting of retainers
You can seek to limit the scope of your retainer in relation to services, deliverables or liability. For example, you can provide online legal services on a non-advised basis (for example, providing precedents, lodging client-prepared papers at court). Typically, this will be in return for a smaller fee and/or for more sophisticated clients.
A solicitor or practice may not contract out of their regulatory or ethical responsibilities under the codes. (It should also be noted that a solicitor will be unable to limit the retainer in respect of many matters, for example, the advice not being accurate or suitable for the client's circumstances. In addition, such restrictions may constitute unfair contractual terms or undermine the ethical principles of the codes.)
You must give as complete information as possible prior to agreeing to provide a service, but clients with sufficient knowledge and experience can demand a specific service only.
Your duties under the code may be triggered as soon as preliminary advice is provided.
A recent example is the Court of Appeal case of Padden v Bevan Ashford [2011] EWCA Civ 1616, in which Lord Neuberger emphasised the fact that, just because advice was free, it did not relieve the firm from the responsibility of giving full advice and did not prevent the firm from being subject to the 'core minimum' duties set out by Lord Nicholls in Royal Bank of Scotland plc v Etridge [2001] UKHL 44.
Retainers for online legal services are likely to be concluded online. This means there is no opportunity to explain or negotiate the provisions in a retainer. You should ensure that audit trails in your online service show the valid establishment of a contract or retainer and its precise scope.
Client care
Client care (Section 1 of the Codes, Section 3 of Solicitor Code and Section 4 of the Firm Code) focus on providing proper standards of service that take into account the individual circumstances of clients.
The interests of the client will be different, depending on the matter in question and what sort of service is being provided. You should consider whether it’s appropriate to deliver a particular semi-automated online legal service. Sometimes face-to-face advice or video conferencing will be necessary as part of your non-automated review process.
You should ensure that you can provide continuity of service and have sufficient capacity to satisfy demand. Where your technology is provided by a third-party supplier, you remain responsible for the performance of the tool and for ensuring that it reflects changes in the codes, the law and professional legal practice.
You and your client must be clear about what service is being provided and the scope of the retainer.
Without knowledge of a client, identifying their needs and circumstances remotely using computer software may be a significant risk. Steps to mitigate this risk should be part of the design of the automated component of your online service. 'Off-ramps' – barriers to proceeding with the automated component of your semi-automated online service and directions to alternative forms of legal advice or assistance – should be considered.
Practices should provide clients with clearly written, relevant and prominently displayed information and guidance to inform their decisions. Whether a tick box mechanism is a sufficient/acceptable form of consent has not been tested in the UK courts.
Reserved legal activities
In thinking about appropriate human review for your semi-automated service, it’s essential to take particular care if you are offering a reserved legal activity.
There are a number of reserved legal activities under the Legal Services Act 2007. Not all will be relevant to the provision of semi-automated legal services. They are:
- the exercise of rights of audience (appearing as an advocate before a court)
- the conduct of litigation (issuing proceedings before a court and commencing, prosecuting or defending those proceedings)
- reserved instrument activities (dealing with the transfer of land or property under specific legal provisions)
- probate activities (handling probate matters for clients)
- notarial activities (work governed by the Public Notaries Act 1801)
- the administration of oaths (taking oaths, swearing affidavits, etc)
Anyone providing human review for a semi-automated reserved activity must be an authorised person for the service or their involvement will need to be such as to fall within the exemptions in Schedule 3 of the Legal Services Act 2007. Practices will be familiar with these provisions but should ensure that they’re considered in the context of the design and delivery of semi-automated services.
Further information
Appendix
The appendix to this practice note summarises some of the main generic compliance issues relevant to online legal services.Annex 1: Electronic media - managing an online business
Electronic media
One aspect of achieving regulatory and professional conduct compliance in your provision of online legal services is addressing the generic compliance issues associated with using electronic media. These include:
- accessibility
- data protection
- information and business continuity
Accessibility
Outcome 2.2 requires you to provide services to clients in a way that respects diversity.
Your practice must provide an appropriate level of service to all clients. You should consider expressing a clear commitment to equality and diversity. This applies to practices of all sizes and to the provision of online, as well as conventional legal services.
Your practice should ensure that its website is WCAG2.0 compliant.
You must ensure that your practice meets its legal obligations regarding minimum accessibility standards (section 20 (6) in Equality Act 2010).
You should review your online legal services for equality and diversity.
Data protection
SRA Outcome (7.5) requires that you comply with legislation applicable to your business, including anti-money laundering and data protection legislation.
Online legal services should therefore address data protection compliance with the GDPR and DPA 2018 (see section 3.1 above). Data protection compliance is, however, a minimum, and treating data protection as a bolt-on or a tick-box exercise is potentially a missed opportunity. You should also consider how your online legal services align with the practice's overall privacy and data protection policies.
See our GDPR and DPA guidance for solicitors in law firms
The development or evaluation of new semi-automated online legal services is an opportunity to embed compliance as part of system design. You can find out more about this approach, ‘Data protection by design and default’ in section 3.2 above.
You should also consider the free online tool designed by the French Data Protection Regulation CNIL that can walk you through the steps required to undertake a DPIA
Practices remain responsible for ensuring data protection compliance when procuring systems from third parties. This includes responsibility for outsourced services including cloud-based IT. Practices planning to deploy online legal services on a cloud computing platform should consult the Information Commissioner's Guidance on the use of cloud computing (PDF 347 KB).
Security
The key to effective cybersecurity is a security management system that addresses security risk in the round – that is, personnel and physical security, as well as information and cybersecurity. Our coronavirus cybersecurity, fraud prevention and lawtech hub page has more information.
Practices should analyse prospective online legal services as part of their overall approach to security. Additional cybersecurity controls will, of course, be needed to cope with internet based vulnerabilities and threats. The web is an open forum, and the fact that online legal services are available much more widely means that solicitors must pay special attention to data security.
Although they may bring practices and their clients together, sites and tools provided by practices may be targeted by hackers from anywhere in the world trying to access sensitive information. In addition to the usual mechanisms, you may also need:
- penetration testing and vulnerability scanning of websites
- the use of secure protocols for websites (HTTPS)
- separation (physical or logical) and database encryption
- processes for opening and closing user and client accounts
- an assessment of applications and their security (for example, firewalls)
- user authentication
Practices should ensure that they obtain appropriate expert advice from properly accredited and experienced information security professionals about the security of online legal systems. You may wish to consider acquiring a recognised security certification such as Cyber Essentials or ISO 27001, or making this a requirement for any systems you procure.
Business continuity
As with data protection and security, online legal services will add an extra dimension to your business continuity plans but should generally be approached as part of your overall business continuity management (BCM). BCM is not just about IT systems recovery and the relevant British Standard, BS 25999, describes it as a management process. This is in line with the approach adopted by the codes.
Remote working
While ensuring best practice with cybersecurity and data protection, the design of any lawtech system should also allow for to be accessed securely by staff and administrators working outside of the office.
Lawtech should provide flexibility not just for the client as the end user but also for any staff administering the system. The system should be accessible by administration staff when out of the office so that they may provide routine support s well as rapid response in the event of a cybersecurity attack or data protection breach.
All data protection breaches must be reported to the ICO within 72 hours of a firm becoming aware of a breach. This 72 hours includes out of office hours and public holidays. Firms must ensure that no time is wasted in responding to a possible data protection breach through a system only being operable from within the confines of a fixed office. To avoid delay in responding to possible data protection breaches, firms must ensure that systems are accessible by administration staff at all times.
Managing an online business
Effective data protection, security and BCM are management issues of both conventional and semi-automated online legal services. There are some further management issues that you should consider when implementing online legal services.
Documentation
The codes have requirements on the provision and content of key documentation and notices. You should ensure that they meet these requirements in any online legal services medium they use. You should similarly keep copies and records of version changes and consider having audit trails and logs to monitor how clients use online legal services.
Fees
Solicitors may not contract out of their regulatory or ethical responsibilities under the codes. This includes providing accurate information on fees and disbursements, the preparation of invoices and the collection of fees.
Annex 2: Semi-automated online legal services checklist
1. Have you analysed the advantages and disadvantages of introducing semi-automated online legal services from your own perspective and your clients' perspective?
2. Are you planning to address professional and regulatory compliance from the outset of your online legal services project, and doing so with a 'built-in', rather than 'bolt-on', view to compliance?
3. Do you have processes to identify, monitor and manage the risks of introducing and then running semi-automated online legal services?
4. Do you have the relevant legal expertise to design or evaluate the correctness (including the logic) of your proposed service?
5. Can you demonstrate how your service meets an associated outcome? Have you documented this?
6. What mechanisms do you have in place to deal with vulnerable clients or undue influence?
7. Is the scope of your retainer clearly set out? Do you have audit trails that will evidence the client's agreement?
8. Have you identified particular services/client groups for which semi-automated online provision is not appropriate?
9. Do you have the necessary resources, skills and procedures to deliver online legal services? Have you ensured that your third-party suppliers also have the necessary capacity?
10. Have you incorporated appropriate 'off-ramps' into your online service to direct clients towards alternative forms of legal advice or assistance?
11. Have you addressed the data protection, information security, business continuity, remote access and accessibility implications of your online service?
12. Have you considered the insurance, documentary and outsourcing implications, including notifying your professional indemnity insurer that you are undertaking this type of work?
13. Do you have regular external assurance on the security and regulatory compliance of your lawtech system from an external accessor?
14. Implement a regular exercise simulating the impact of a cybersecurity attack affecting your lawtech system and your firm’s response to such an attack. Utilise the free tools provided for you by the NCSC.
Legal technology procurement checklist
As part of your due diligence, ensure that you can answer these questions:
This list is not exhaustive but should help you to start a dialogue with the provider ahead of confirming supply, agreeing terms and signing any contracts.
1. Where are the servers that will hold personal data located? Are they in the UK, EU, US or elsewhere?
2. If servers are located in the US, does the service provider subscribe to the EU/US Privacy Shield? (search the register)
3. If the servers are located outside of the UK, EU or US, does the country benefit from a determination from the European Commission? (search the list)
4. What security provisions are in place on the server – is it encrypted, if so to what standard (for example, TSL, SSL) and level (for example,128 bit)
5. What happens to your firm’s data should you stop using the service – system – how is it returned to you and how long will the provider retain it for, if at all?
6. If you’re commissioning a developer to build a system such as an app, chatbot, website, case management, who will own the IP when it’s completed?
7. Will the service provider be able to access your firm’s data? What security measures are in place to stop the provider accessing this data?
8. In the event of a data protection breach, what’s their breach response plan? When would you be notified? What information do they undertake to provide to help you comply with your legal and regulatory requirements?
9. Will the service provider help your firm commission an independent penetration test or assessment of their system so you can demonstrate you’re meeting your obligations as a data controller?
10. Will the service provider work with you and take part in any test data protection breach or cyberattack simulation to rehearse your respective organisations’ response plans?
Practice notes represent the Law Society’s view of good practice in a particular area. They are not intended to be the only standard of good practice that solicitors can follow. You are not required to follow them but doing so will make it easier to account to oversight bodies for your actions.
Practice notes are not legal advice, and do not necessarily provide a defence to complaints of misconduct or poor service. While we have taken care to ensure that they are accurate, up to date and useful, we will not accept any legal liability in relation to them.
For queries or comments on this practice note contact our Practice Advice Service.
SRA Principles
There are seven mandatory principles in the SRA Standards and Regulations which apply to all aspects of practice. The principles apply to all authorised individuals (solicitors, registered European lawyers and registered foreign lawyers), authorised firms and their managers and employees, and to the delivery of regulated services within licensed bodies.
Must – a requirement in legislation or a requirement of a principle, rule, regulation or other mandatory provision in the SRA Standards and Regulations. You must comply, unless there are specific exemptions or defences provided for in relevant legislation or regulations.
Should – outside of a regulatory context, good practice, in our view, for most situations. In the case of the SRA Standards and Regulations, a non-mandatory provision, such as may be set out in notes or guidance.
These may not be the only means of complying with legislative or regulatory requirements and there may be situations where the suggested route is not the best route to meet the needs of a particular client. However, if you do not follow the suggested route, you should be able to justify to oversight bodies why your alternative approach is appropriate, either for your practice, or in the particular retainer.
May – an option for meeting your obligations or running your practice. Other options may be available and which option you choose is determined by the nature of the individual practice, client or retainer. You may be required to justify why this was an appropriate option to oversight bodies.