Coronavirus (COVID-19) update
One of the many impacts of COVID-19 is that those law firms that do not currently use cloud infrastructure are facing increased challenges with their existing legacy on-premise IT infrastructure not being ‘fit for purpose’ for widespread and an indefinite period of remote working. As a result, you could be looking to move to the cloud at an accelerated pace. Although you need to move fast the guidance in this practice note should still be considered.
In addition, a couple of COVID-19 specific issues as they relate to cloud computing should also be considered.
Irrespective of the actual wording of the force majeure clause in the cloud contract, ensure that the force majeure clause expressly excludes COVID-19 and/or any government/legal or regulatory steps taken to combat COVID-19. If the cloud service provider resists this, then you should consider agreeing a specific provision dealing with the impacts of COVID-19 (rather than leaving the force majeure clause ‘as is’).
Consider whether a force majeure clause excuses all performance of a cloud service provider or whether the occurrence of a force majeure event should not excuse the cloud service provider’s obligation to implement disaster recovery/business continuity obligations and to restore services. If a cloud service provider is excused from implementing disaster recovery/business continuity plans in the event of a force majeure event, you should consider revising the clause as that may be when you need disaster recovery/business continuity the most.
This practice note is the Law Society’s view of good practice in this area, and is not legal advice. For more information see the legal status.
Who should read this practice note?Any person at a law firm (whether that is a solicitor, practice manager or IT person) looking to procure cloud computing services on behalf of their firm and all solicitors using or planning to use cloud computing services.
What's the issue?Legal practices are increasingly using cloud computing as an alternative to 'traditional' software. Cloud computing has several advantages, but it also carries additional risks which your firm should navigate carefully.
What is cloud computing?
Overview of cloud computing
Whilst the terms ‘cloud’ and ‘cloud computing’ have become much more familiar to lawyers in the last few years, there can still be some confusion about definitions and acronyms.
In this practice note we focus on the basic concept of a ‘web-based software service or solution’.
In practical terms, you can understand cloud computing as software or services that can be accessed and used over the internet using a browser (or, commonly now, a mobile app), where the software itself is not installed locally on the computer or phone being used by the lawyer accessing the service.
Your data are also processed and stored on remote servers rather than on local computers and hard drives. Cloud applications might also be referred to as ‘web services’ or ‘hosted services’.
Cloud services might be hosted by a third party (most commonly Amazon or Microsoft) or, more commonly in the legal profession, by a provider running its services on Amazon, Microsoft, or another cloud data centre provider. It’s also possible, though unlikely, that a law firm could host and provide its own private cloud services.
Examples of cloud computing
Cloud computing examples:
- in the commercial and business world include Salesforce.com, BaseCamp, Microsoft Office 365, LinkedIn and Slack
- for individuals include Dropbox, Gmail, and Evernote
- specifically for legal practices include services, such as Clio, Rocket Matter, NetDocuments
Types of cloud service
Cloud services can generally be classified into three types:
- infrastructure as a service (IaaS): basic infrastructure (eg servers in a data centre) on which users can load their own applications. IaaS providers include AWS, Microsoft, Google, Rackspace, CenturyLink, IBM SoftLayer, Fujitsu, NTT and VMware
- platform as a service (PaaS): a development platform which customers can use to develop and run their own applications. PaaS providers include AWS, Microsoft Azure, Google App Engine, Salesforce, SAP HANNA and IBM Cloud
- software as a service (SaaS): ready-made applications like word processing, customer relationship management, data storage or email. Larger SaaS providers include Microsoft (Office 365), Google (G Suite), Adobe (editing and design), Dropbox (storage), Salesforce (CRM), Intuit (finance and tax), LogeMeIn (comms and conferencing), SAP (ERP) and Workday (HR)
As the cloud develops and new services proliferate, it is now common to speak of XaaS (“Anything as a Service”). In addition to SaaS, examples include AIaaS (Artificial Intelligence), BPaaS (Business Process) and DaaS (as Data or Device).
Cloud services can be deployed in different ways:
- a public cloud is the most common deployment type. A public cloud service provider offers cloud based services to external customers
- a private cloud is owned and deployed by an organisation for its own exclusive use. Private clouds can potentially offer you greater security and knowledge of where your data is being held, but costs will be higher and there may be limited scalability
- hybrid clouds integrate private networks or data centres with a public cloud so that the latter can act as a backup to provide additional capacity to meet exceptional demand
- finally, community clouds are established by organisations who have a common requirement for certain standards of service, particular software or levels of security. For example, a group of law firms could establish a community cloud
A variety of more detailed and informal definitions and descriptions of cloud computing – including an outline of the public, private and hybrid deployment models - can be found under Further Information below.
Defining cloud computing from a regulatory perspective
In most cloud computing scenarios, data, including personal data, is processed on a third-party server or application. This is significant from a professional conduct and regulatory compliance perspective.
If personal data is being processed by the cloud service provider, the GDPR and the Data Protection Act 2018, including its security provisions need to be complied with (see section four).
Practices are also subject to professional conduct obligations to maintain client confidentiality, properly manage their practices and facilitate Solicitors Regulation Authority (SRA) access to data (see section five).
What are the risks and benefits of cloud computing and understanding roles and responsibilities?
Cloud computing has the potential to offer a rich mix of benefits and risks which your firm should evaluate in the light of its own circumstances.
Over the years the potential benefits and risks of cloud computing have not really changed and can be summarised as follows.
- Improved backup/disaster recovery
- Increased storage capacity
- Increased data handling capacity
- Reduced infrastructure costs
- Avoiding frequent updates to software
- Reduced internal IT staff costs
- Security, data confidentiality and location of data
- Service reliability and stability
- Lack of control over customisation and integration
- Service response time, and enforcing service level agreements (SLAs)
- Speed and bandwidth
- Danger of supplier lock-in
- Difficulty of achieving executive buy-in
Analysing risks and benefits
Some issues, like information security, can potentially be a risk or a benefit to your firm, depending on several factors.
You should understand prospective cloud service offerings fully, to make sure that they:
- meet your business requirements
- are procured under a robust business case
- have been subjected to a full risk and compliance analysis
If you do not have relevant expertise in-house, you should obtain independent expert advice.
Understanding roles and responsibilities
From a law firm’s perspective, one of the significant areas of risk involved with cloud computing is associated with the division of activities and responsibilities between the cloud service provider and the law firm.
A clear understanding of what activities are within the scope of the service (“in-scope”) provides an opportunity for the law firm and/or the cloud service provider to fill the gap (perhaps with an additional service) and reduce the risk of customer satisfaction issues.
One way to assess gaps is to review the capabilities required by the appropriate cloud service model (SaaS, PaaS or IaaS).
You also need to understand the growing trend of cloud service providers utilising business partners and/or value-added resellers (VARs) to sell their cloud services.
A VARs often offers its own ‘agreement’, which is mostly a ‘wrapper’ around the cloud service provider’s contact which adds a layer of contractual complexity that needs to be navigated.
You should take time to examine and compare what is in the VAR’s agreement versus what is in the cloud service provider’s contract to make sure that:
- the VAR agreement does not weaken the commitments of the cloud service provider
- you’re fully aware of the VAR’s role in notifications, communication, incident reporting, correction of billing errors, collection of service credits, etc
In most but not all of these reseller agreements, the VAR or business partner is largely acting as an agent for one cloud service provider, or as an integrator or broker for selecting cloud services, but with such a model there is a risk of introducing additional delays or finger-pointing.
Data protection and information security
Your existing data protection policies
The starting point for evaluating cloud services should be your practice's existing data protection, information security and business continuity management frameworks and policies.
Your data protection and information security leads should be involved from the outset.
You may want to ensure that the cloud service provider complies with your applicable policies. A practical difficulty is that the cloud service provider may find it difficult on a public cloud model to accept obligations to comply with policy requirements of particular customers.
However, as cloud provision becomes more extensive and cloud service providers offer more services that comply with particular sector specific regulatory requirements, market practice is emerging around the cloud service provider agreeing to comply with law firm policies provided before contract start and/or the cloud service provider accepting new or certain changes to law firm policies on a chargeable basis through change control.
Data protection considerations
The GDPR and the Data Protection Act 2018 (collectively referred to in the remainder of this practice note as ‘Data Protection Law’) changed personal data regulation with significant consequences for cloud computing.
Deployments that simply process non-personal data, for example, some knowledge management tools, are not covered by the Data Protection Act. But the law uses a broad definition for 'personal data', so you should look carefully at the Information Commissioner’s Office's guidance on determining what constitutes personal data.
Where Data Protection Law is relevant (which will almost always be the case where the service covered by the cloud contract touches personal data anywhere in the EU/UK) key considerations include the following.
Do you need to prepare a data protection impact assessment (“DIPA”)?
You should consider at an early stage whether to prepare a DPIA for the cloud service and if so (whether required under Data Protection Law or as good practice) to prepare it side by side with negotiating the contract.
Is the cloud service provider a data controller or data processor?
Data Protection Law sets out different rules depending on an entity’s role as controller or processor of personal data. In summary the controller determines the purpose and means (the ‘why’ and ‘how’) of the processing, and has responsibilities arising directly under Data Protection Law. The processor processes personal data on behalf and on the instructions of the controller and is generally indirectly subject to Data Protection Law in this context through the controller’s duty to have written terms in place with the processor.
Reaching a view as to respective roles may be difficult as:
- the boundaries between controller and processor can become blurred
- the same cloud service provider can be a processor for some activities (e.g. SaaS provider) and a controller for others (e.g. consulting services)
- if both are controllers, the law firm and the cloud service provider may be separate controllers for some activities but joint controllers (where different duties arise) for others
If the cloud service provider is a data controller, what contract terms will need to be included?
Data Protection Law requires no specific or prescriptive terms but as mentioned above, Data Protection Law will apply directly to the cloud service provider. Whilst no clauses are mandated to be included in the cloud contract you should consider including the following:
- each of the law firm and cloud service provider accepting an obligation to the other to comply with Data Protection Law
- each party accepting an obligation to cooperate with and assist the other on Data Protection Law-related matters
- an express obligation on the cloud service provider to take appropriate technical and organisational measures for the security of personal data
If the cloud service provider is a data processor, what contract terms will need to be included?
Data Protection Law is very prescriptive in the scenario and the contract will need to meet the specific terms set out in Article 28(3) of the GDPR (see section 4.3).
Will personal data be transferred from the UK/EU?
Articles 44 to 50 GDPR cover transfers of personal data to countries outside the EU. Generally, for any third country where the EU has not taken an ‘adequacy’ decision on the privacy laws of that country, data exports are permitted only:
- where the entities have entered into Binding Corporate Rules (“BCRs”) regarding personal data
- (in the case of transfer to the US) where Privacy Shield arrangements apply; or
- where the parties have entered into the relevant EU Commission’s model standard contractual clauses (controller to controller or controller to processor)
Where the cloud service provider is a data processor and personal data is to be processed outside the adequacy, BCR or Privacy Shield regimes, effectively two sets of controller to processor clauses will need to be included in the cloud contract: (1) those prescribed by Article 28; and (2) the standard contractual clauses (controller to processor).
Where the cloud service provider is a data controller and adequacy, BCR or Privacy Shield arrangements do not apply, the standard clauses (controller to controller) will be needed.
What is the liability position for breach of data protection obligations?
Liability under the GDPR can be significant and explain to an extent why discussions around the liability limitation clause in cloud contracts have become more contentious after the implementation of Data Protection Laws.
Market practice in cloud contracts is starting to develop in relation to this issue where breach of the cloud service provider’s data protection, information security and confidentiality duties are removed from the general liability cap and dealt with separately, with either unlimited liability (rare but possible), a higher cap or indemnification, which may also cover fines and the costs of regulatory action.
Overview of mandatory clauses to be included in a cloud computing contract where the cloud service provider is a processor
As mentioned above, Article 28(3) of the GDPR prescribes the provisions which must be included in a contract between a controller and a processor. The contract at a minimum, must contain the following operational details:
- the subject matter, duration, nature and purpose of the data processing
- the type of personal data being processed
- the categories of data subjects whose personal data is being processed
The contract must also include the following clauses:
- that the cloud service provider will only process personal data received from the law firm on documented instructions of the law firm (unless required by law to process personal data without such instructions)
- that the cloud service provider ensures that any person(s) processing personal data is subject to a duty of confidentiality
- that the cloud service provider takes all measures required pursuant to Article 32 GDPR (Security of Processing) including but not limited to implementing appropriate technical and organisational measures to protect personal data received from the law firm
- that the cloud service provider obtains either a prior specific authorisation or general written authorisation for any sub-processors the cloud service provider may engage to process the personal data received from the law firm. The cloud service provider must further ensure that where it has a general written authorisation to engage sub-processors, the law firm has the opportunity to object in advance to each individual sub-processor to be appointed by the cloud service provider
- that any sub-processors engaged by the cloud service provider are subject to the same data protection obligations as the cloud service provider and that the cloud service provider remains directly liable to the law firm for the performance of a sub-processor’s data protection obligations
- that the cloud service provider assists the law firm by appropriate technical and organisational measures to respond to data subject rights’ requests under Data Protection Law
- that the cloud service provider assists the law firm to ensure compliance with obligations under the GDPR in relation to security of data processing (Article 32 of the GDPR), notification of data breaches (Articles 33 and 34 of the GDPR) and data protection impact assessments (Article 35 and 36 of the GDPR)
- that, at the expiry or termination of the contract and on the law firm’s instruction, the cloud service provider deletes or returns the personal data received from the law firm
- that the cloud service provider makes available to the law firm all information necessary to demonstrate compliance with Article 28 of the GDPR and that the cloud service provider allows for and contributes to audits conducted by the law firm or a third party on the law firm’s behalf
Security controls of course apply to both on-premises systems and cloud computing. However, because of the cloud service models employed, the operational models, and the technologies used to enable cloud services, cloud computing may present different information security risks to an organisation than traditional IT solutions.
You’ll need to consider how to evidence assurance that the cloud service provider will be able to perform its information security commitments. This is done typically through a combination of warranted responses to your RFP (Request for Proposal), contractual commitments and evidence of third party standards certification, perhaps with independent testing for more critical aspects.
The most widely recognized international standard for information security compliance is ISO/IEC 27001 which includes national variants and well developed certification regimes. ISO has also standards specific to cloud computing:
- ISO/IEC 27017 – code of practice for information security controls based on ISO/IEC 27002 for cloud services
- ISO/IEC 27018 – code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors, which specifically address cloud service security and privacy considerations and builds upon ISO/IEC 27001
- ISO/IEC 27036-4 – information security for supplier relationships - Part 4: Guidelines for security of cloud services
There are also codes of conduct relating to the handling of personal data in cloud services, for example the EU Cloud Code of Conduct.
Other professional conduct matters
Confidentiality and disclosure
Standard 2.5 of the SRA Code (2019) for firms require you identify, monitor and manage all material risks to your business, including those which may arise from your connected practices.
Standard 6.3 of the SRA Code (2019) for firms states that you keep the affairs of clients confidential unless disclosure is required or permitted by law or the client consents.
Standard 6.4 of the SRA Code (2019) for firms requires any individual acting for a client to make the client aware of all information to the matter of which the individual has knowledge.
These standards reinforce your obligations in respect of transparency, data protection and information security but they also go further in that they do not just apply to personal data.
Access to outsourced data by the SRA
Standard 2.3 of the SRA Code (2019) for firms requires you ensure that relevant information, which is held by you, or by third parties carrying out functions on your behalf which are critical to the delivery of your legal services, is available for inspection by the SRA.
Standard 2.5 of the SRA Code (2019) for firms requires you identify, monitor and manage all material risks to your business, including those which may arise from your connected practices.
Standard 4.2 of the SRA Code (2019) requires you ensure that the service you provide to clients is competent and delivered in a timely manner, and takes account of your clients attributes, needs and circumstances.
Adopting a third-party cloud computing platform is likely to constitute outsourcing an operational function that is critical to the delivery of your legal activities. It follows that you should seek a contractual terms and conditions from your cloud supplier that would enable you to satisfy the Standards and Regulations as set out in this section and in section 4.2 above.
Lawful access to data
There may be circumstances in which police or intelligence agencies at home or abroad can lawfully obtain access to your data via your cloud service provider.
You should have regard to the possibility of lawful access by a foreign law enforcement or intelligence agency when selecting a cloud service. Select a provider who will offer appropriate contractual commitments and operational practices in relation to managing the risks of your data being subject to such lawful access.
You should also consider a range of other factors that may have a bearing on whether or not you should entrust them with client data.
These include their:
- ownership and control (including foreign ownership and control)
- financial stability
- independent certifications
Section six below discusses procurement and contract issues further.
Impact on the law firm’s client relationships
A law firm that uses a cloud service to provide (in turn) a service to its own clients may be bound by certain SLAs.
The law firm should carefully review whether any inconsistencies may arise between the ‘upstream SLA’ (with the cloud service provider) and the ‘downstream SLA’ (with their client).
An obvious issue would be a higher uptime commitment to its client than the uptime guaranteed by the cloud service provider in the cloud computing contract.
Procurement and contractCloud computing contracts vary. Whether you’re choosing a standardised 'click-wrap' offer (clicking an 'I agree' button to terms and conditions), or negotiating a sophisticated and multi-layered agreement, you should consider the following issues.
Pre-contract: internal approval
In addition to a review of business requirements, a robust business case and proper risk and compliance analysis (see section 3), you should ensure that you have an internal approvals process which you follow.
There is a risk that staff at any level will circumvent your official procurement and approvals processes, particularly with 'click-wrap' and 'free' services.
'Free' services may involve payment for extras, or generate income from processing data about you. They can pose serious data protection, client confidentiality and information security risks.
Everyone in your practice should be alerted to these risks, and be made aware of the need to follow your formal approvals process.
Pre-contract: scope for negotiation
It may not be possible to negotiate standard terms and conditions as many cloud service providers offer take-it-or-leave-it contracts. In other negotiations, your relative bargaining power will be insufficient.
This may not be a problem, particularly if your intended deployment of cloud services is non-strategic.
However, if you do need to negotiate, then you should be aware that many 'integrators' – sub-contractors re-selling primary cloud services – should have greater bargaining power with cloud service providers. As discussed in section 4.2 it is important to understand the basic relationships in your cloud services supply chain.
Key commercial and legal issues
You should critically question and fully understand any cloud contract you enter into. Some of the matters you may wish to consider include the following:
Liability for service failure
Cloud service providers frequently exclude contractual liability for their customers' direct losses and even more frequently, indirect losses, as a result of service failure.
It may not be possible to re-negotiate these terms. In practice the solution may be to choose a cloud service provider with:
- a good track record
- commitment to remain in the cloud computing market
- a strong reputation to protect
Service levels and service credits
Service levels should be objective, quantifiable, repeatable measures of matters within your cloud service provider's responsibility. You should agree the service levels that are important to your firm.
Service availability is likely to be a key measure for most firms. You should consider various aspects of service availability including:
- point of measurement: availability of service provision or availability at the point of user consumption
- service measurement period: even if a service boasts high availability 24/7, this could translate into relatively high downtime during normal working hours)
- application availability: availability of particular applications may be just as important to you as general availability of a service
Cloud service providers commonly offer service credit if they fail to meet their service level agreement. You should weigh up the relative merits of this regime against damages at common law.
In general, service credit regimes are advantageous to cloud customers and cloud service providers as they offer certainty and keep risk to identifiable and manageable levels.
You should be careful before accepting that service credits are your sole and exclusive remedy. This will limit your right to sue for damages at large or terminate the contract.
Regulation and professional conduct
You should satisfy yourself that the following obligations are, where appropriate, addressed in the terms and conditions you agree with your cloud computing service provider:
- data protection
- client confidentiality
- business continuity
- your other regulatory and professional conduct obligations
You should read and follow our other relevant practice notes, including:
Disengagement and transition
Before entering a cloud computing contract, you should think about what will happen if you need to terminate it or what happens at the natural expiry of the contract.
You should ensure that if you need to migrate services to another cloud service provider, or back to you, it can take place with minimal disruption. In particular, the format of the data transmitted from the cloud service provider to the law firm should be specified in the cloud computing contract and should conform to standard data formats whenever possible, to enable portability to a new service.
The transmission of the data from the cloud service provider to the law firm or a new cloud service provider should use standard packaging and data transfer techniques.
You should therefore define your requirements for exit at an early stage in negotiations, and ensure that the contract provides a clear exit strategy.
You should consider removing contractual provisions permitting the cloud service provider the right to exercise lien over your data and client data.
Other contractual issues
Some of the other contractual matters you may wish to consider include the following.
Jurisdiction and governing law
Cloud service providers and their customers are commonly located in different jurisdictions. Where this is the case, two separate issues need to be considered:
- applicable governing law
Governing law relates to the law that governs the contract. Jurisdiction relates to courts of the country which is to resolve any dispute.
In each case, the cloud computing contract may stipulate the choice of law and jurisdiction. However, there may also be separate rules on applicable law and jurisdiction which apply irrespective of provisions in the contract. For example, data protection has its own free-standing rules on applicable law and jurisdiction.
Minimum terms, renewals and notice periods
Cloud computing contracts frequently have a fixed term, which sometimes renews automatically unless terminated. As these contracts require notice of non-renewal within a set period before expiry, you should be careful not to miss the window.
Acceptable use policies
In cloud computing contracts, the customer has an obligation to comply with the cloud service provider's acceptable use policy (AUP). This policy protects the cloud service provider from liability arising out of the conduct of their customers.
The vast majority of policies prohibit a consistent set of activities that cloud service providers consider to be improper or illegal uses of their service.
In most cases, the prohibition of activities referred above may be acceptable. However, in a law firm context, they need to be considered carefully. For example, if a law firm is acting for a client who is defending a defamation claim, materials which are hosted by the cloud service provider could be defamatory (which under most AUPs would mean that the law firm is in breach).
Consequently, you should review the acceptable use policy carefully and seek to revise any restrictions which you may inadvertently breach.
Introduction of harmful code
In the cloud computing environment, the introduction of harmful code like viruses and other malicious code is a potential threat to your systems and data.
You’ll need to rely on the cloud service provider applying sufficient protection against the introduction of harmful code in hosted data and systems as well as via any communication with your local systems.
To manage this risk, you should consider the potential risks posed by harmful code and the relevant obligations that should be imposed on the cloud service provider to ensure that your systems and data are protected.
Change of control and assignment/novation
You should consider the risks associated with another entity obtaining control of your chosen cloud service provider.
Contractual approaches to managing this risk include:
- requiring the cloud service provider to inform you in advance (subject to any listing rules of a relevant stock exchange) of any proposed change in control of the cloud service provider
- having the right to terminate the contract if a change of control has occurred; and/or
- ensuring that any transfer of the cloud service provider's rights and obligations under the contract to another entity (commonly referred to as 'assignment' in the case of rights and 'novation' in relation to rights and obligations) is subject to your prior written approval
Understanding the supply chain has already been covered in sections 4.2 and 4.3, but it has consequences beyond data protection compliance. When determining your contractual approach to supply chain risk management, you should also consider:
- Should subcontracting be permitted at all?
- If subcontracting is permitted, should it be permitted in respect of the whole or part of the subject matter of the contract?
- If subcontracting is permitted, on what basis can you withhold your consent?
- Do you have the right to review the terms of the subcontract?
You should also consider the various mechanisms you can use to allocate, manage or transfer the risks associated with subcontracting - for example, by ensuring that the cloud service provider is fully liable for the acts and omissions of its sub-contractors.
Suspension of services
Cloud computing contracts frequently contain a right for the cloud service provider to suspend services at its discretion.
Alternative approaches include:
- not permitting suspension except with prior notice and agreement
- not allowing suspension for any reason other than non-payment, unless prior notice was given, including reasons for suspension
- not allowing suspension without prior written notice of non-payment, with an obligation on the provider to give a final notice, and a commitment to restore services within a certain number of days after payment
- allowing suspension for material breach, but only after reasonable prior notice and good-faith consultation with you
You should always have effective business continuity arrangements in place.
Change of terms at discretion of the cloud service provider
Some cloud computing contracts include clauses allowing the cloud service provider to change the terms of the contract at any time without agreement by the customer. You should consider:
- deleting the right or making the right subject to your agreement to any change, or
- placing an obligation on your cloud service provider to notify you in advance of any changes and give you the right to terminate the contract if you do not agree to the changes
It is good practice for you to negotiate a contractual requirement for the cloud service provider to carry sufficient insurance to cover the cloud service provider’s liability under the cloud contract.
Practice notes represent the Law Society’s view of good practice in a particular area. They are not intended to be the only standard of good practice that solicitors can follow. You are not required to follow them but doing so will make it easier to account to oversight bodies for your actions.
Practice notes are not legal advice, and do not necessarily provide a defence to complaints of misconduct or poor service. While we have taken care to ensure that they are accurate, up to date and useful, we will not accept any legal liability in relation to them.
For queries or comments on this practice note contact our Practice Advice Service.
There are seven mandatory principles in the SRA Standards and Regulations which apply to all aspects of practice. The principles apply to all authorised individuals (solicitors, registered European lawyers and registered foreign lawyers), authorised firms and their managers and employees, and to the delivery of regulated services within licensed bodies.
Must – a requirement in legislation or a requirement of a principle, rule, regulation or other mandatory provision in the SRA Standards and Regulations. You must comply, unless there are specific exemptions or defences provided for in relevant legislation or regulations.
Should – outside of a regulatory context, good practice, in our view, for most situations. In the case of the SRA Standards and Regulations, a non-mandatory provision, such as may be set out in notes or guidance.
These may not be the only means of complying with legislative or regulatory requirements and there may be situations where the suggested route is not the best route to meet the needs of a particular client. However, if you do not follow the suggested route, you should be able to justify to oversight bodies why your alternative approach is appropriate, either for your practice, or in the particular retainer.
May – an option for meeting your obligations or running your practice. Other options may be available and which option you choose is determined by the nature of the individual practice, client or retainer. You may be required to justify why this was an appropriate option to oversight bodies.