Standard 4.10 on Effective Use of Technology
Standard
A legal aid organization should utilize technology to support efficient operations and the provision of high-quality and responsive services. Organizations should remain informed and educated about technology tools and systems used by courts, administrative agencies, and others in ways that impact clients, or that clients are required to use when accessing courts or other services. Wherever possible, organizations should strive to participate in the creation of technology tools used by courts and agencies and work toward integration of technology systems with justice system partners to create efficiencies and seamless experiences for clients while also preserving confidentiality of information. Further, information security and data protection are of paramount importance to legal services organizations and organizations should maintain strong practices around information security, backup, and disaster recovery.
Commentary
General Considerations
A legal aid organization should utilize technology to operate efficiently and to respond to the growing and changing legal needs of the communities it serves. The rapid and ongoing changes brought about by technology impact how client communities interact with their environment, access services and government benefits, and how they engage with the legal system. Technology is part of the infrastructure of legal aid practice and the courts and is integral to a legal aid organization's operations in the options available for providing services to the client community.
The tools for effective practice and for responding to the legal needs of client communities must be anchored in safe and reliable technology. Each organization has a responsibility to plan effectively how it will use technology in providing assistance to clients in its service area and in supporting its internal operations, including the production and management of legal work and the training and support of its staff. This involves awareness about how government agencies process applications, provide benefits, and deliver court services using and requiring technology from client-eligible groups.
Technology also plays a central role in how the legal system operates as more courts and administrative agencies rely on computer and web-based methods of operating, utilizing e-filing, online applications, remote court appearances, and automated systems for determining eligibility, to name a few. As courts are embracing remote hearings and remote appearances, legal aid organizations will need to be proactive in working with courts to ensure that their clients' substantive and procedural due process rights are not compromised through the use of technology.
As much as possible, organizations will also need to adapt how they represent and advocate for clients and will have to develop internal standards by which to review and implement the technology used to facilitate remote services. This standard setting and review process will force organizations to better understand security, encryption, and the dangers posed by data mining and the subsequent use of gathered information that might be shared with outside agencies - including law enforcement and border patrol - or used to create databases that can be shared with other companies without the legal aid organization's or clients' consent. In addition, before purchasing technology, legal aid organizations need to craft requests-for-proposals that ask for specific requirements.
Special Considerations Related to the Use of Artificial Intelligence
Much research and writing has been done on the uses and impact of artificial intelligence (AI) in the legal field, but too little attention is being paid to it by the legal aid community. AI brings great opportunities for efficiency and expanded services to legal aid, but it also brings potential risks, including around due process and privacy. Legal aid organizations should strive to be educated about and engaged in conversations about the use of AI, both within their own delivery systems as well as those of the courts and agencies with which their clients interact. Whenever possible, organizations should endeavor to be at the table when courts and agencies are planning, developing, and deploying systems using AI that will impact their clients' interests.
Use of AI, like all legal technology, should be evaluated against relevant rules of professional conduct and held to high standards involving transparency, accountability, reliability, and assurance of due process. Organizations are encouraged to work with others in their jurisdictions to develop standards around the use of AI in the legal system and to develop expertise in this field in order to be a resource for evaluating the ethics and legality of these systems and their impact on clients.
Decisions on whether to use AI tools should not be made by technical teams or vendors alone. The assessment should include ethics and privacy experts to ascertain the risk or potential that client-provided data could be used to create indexes or other tools that could eventually harm the communities served.
Technology Planning
A legal aid organization should examine all aspects of its operation for opportunities to increase the quality and range of its service through technology. There are many ways in which technology can be used by an organization, and new methods will evolve over time. There are a number of broad areas, as follows, regarding which the organization should plan.
The production and management of legal work. Technology plays an increasingly important role in relation to the production and management of legal work. There are also a number of applications that support efficiency and effectiveness, including case management software, document assembly capabilities, web chat tools, texting platforms integrated with case management tools, risk detectors, knowledge-based tools, videoconferencing, and tools for legal factual research. The legal aid organization should also be aware of the opportunities for using technology to collaborate with others, including outside practitioners, other legal aid organizations, and non-legal organizations that serve clients, but the legal aid organization must be mindful of ethical rules and client confidentiality as they pertain to these activities.
Part of managing legal work requires that the organizations know, understand, and consider how data analysis and analytics are now being used to better understand community needs and organization service penetration rates and impact. Thus, the organization needs to consider developments like mapping, linking data from the Centers for Medicare and Medicaid Services (CMS) to U.S. census data, as well as other data analytics tools, including those from Legal Services Corporation, which are available for all legal nonprofits as part of their needs assessment and internal evaluation of effectiveness, impact, and dispersion of the benefits of legal aid.
Training and support of staff. Technology should be used to provide trainings to staff, pro bono attorneys, and the organization's governing body. The organization should use technology to link with networks of advocates and with national support and advocacy organizations to support the legal work of its practitioners.
Internal operations. The organization should assess opportunities that technology may provide to increase the efficiency of its internal operations, including software for accounting, human resources and personnel management, and other such tools that may evolve. The organization should use technology to enhance its internal communications as well as its development and marketing efforts. In addition, organizations should consider new ways to sign, share, and co-author documents, and other innovations that support and facilitate remote services and workflows with staff and other team members.
Organization policies and practices. The organization should develop and implement robust policies regarding the use of technology by staff and others, including: 1) backup and disaster recovery plans; 2) security and procedures for protecting client and case data consistent with the duty of confidentiality; actions to take in the event of a security breach; 3) mobile technology use policies for staff, volunteers, and clients; 4) remote work and the remote delivery of services; and 5) other needs as they arise. Technology policies should be reviewed and updated at least annually to address the fast-changing nature of technological development. In addition, organizations should develop the internal capacity to review technology solutions for needs that arise and to ensure those solutions protect their clients and their data.
Legal aid organizations should adopt policies and practices to ensure protection of key information and systems. Policies and practices such as multifactor authentication, routine staff security trainings, and use of password managers, encrypted hard drives, and up-to-date security hardware and software are important pieces of information security. Organizations should also assess the benefits of vulnerability assessments, penetration testing, and cyber insurance policies. Legal aid organizations should routinely test their backup processes to ensure that data can be properly restored if it is lost. Additionally, organizations should consider a hybrid-cloud approach to backup - where an organization combines on-site backup with a cloud solution. Such a solution greatly increases the likelihood of a quick restoration of program systems and data in the event of a cyberattack or natural disaster.
Expansion of the range of services to clients and others in the community. Each organization should stay informed of new developments and regularly analyze the degree to which new strategies for serving client communities are possible as a result of technological innovations. An organization should cultivate a commitment to innovation and should take advantage of technology that can increase the scope of services it offers to its constituents. Technology can be used to provide legal information, to support limited representation and self-representation, to do remote intake (by clients or referring partners), and do remote representation of clients, among other uses.
Evaluation of technology tools. Technology planning should include an assessment of the effectiveness of the organization's current technology and of new technological advances that would enhance operation and delivery of services. See Standard 3.12 regarding general evaluation. Specific areas of evaluation for technology tools include evaluation of usability, accessibility, plain language efforts in public-facing tools, and others. Resources for such evaluations may be found at LSNTAP.org, on the Legal Services Corporation's website (https://www.lsc.gov/grants-grantee-resources/statewide-website-evaluation-project); and https://wave.webaim.org/.
Expertise to meet technology needs. The organization should assess whether its information technology needs can best be met by using staff, by outsourcing the responsibility to others, or by a combination of these two methods. The organization should also regularly consider areas appropriate for upgrading its technological capability to increase the efficiency and effectiveness of its delivery strategies while maintaining its ethical obligations concerning protection of client data.
To make informed choices about innovative uses of technology and to embrace those changes, an organization needs access to expertise. Not every organization has the resources to hire or contract the technological expertise needed for it to plan creatively. For many organizations, therefore, it is particularly important to participate in regional and statewide technology task forces and formal statewide and regional technology planning efforts in order to stay abreast of rapidly changing developments. An organization may be able to reduce costs by collaborating with others to plan and pay for the development and implementation of technology, such as case management software.
Responsibilities of the Organization Regarding its Utilization of Technology
Responsibilities to members of the client community. An organization should be aware of the degree to which members of the communities it serves have access to the technology they will need to take advantage of technologically-based service strategies. While internet access is fairly high among low-income communities, there are still many low-income persons and other client communities with limited or no access to the internet.Most low-income users connect online with mobile devices, not desktop computers.Thus, legal aid organizations need to engage in mobile-first design to accommodate their users. Others may have access to computers but lack training to use technology or might be afraid of using it. To the degree practical, an organization should support strategies that increase access of client communities to technology and should cooperate with other organizations that seek to increase technology's availability and usability.
The organization should also be careful not to utilize technology in ways that limit or deter access to its services. It should provide alternative means for access to assistance for persons who are resistant or unable to use of computers and other technology tools. Offering only online services is not recommended; instead, the organization should provide many doors to services to accommodate those who cannot afford legal services and might not have mobile technology or the technical literacy to use online tools.
An organization that obtains user information online needs to publish and abide by a privacy policy regarding how it will treat information it obtains from those using its systems. The policy should define and describe what private, confidential, or privileged information the tool collects, how that information will be used, and who will have access to that information. These policies and terms of use should be in plain language and in the languages prevalent in that region. The system must also be careful to protect from disclosure any confidential information obtained from applicants, clients, and other users of its services. It should have security measures in place to protect all of its electronic data from unauthorized intrusion. This includes having clear data retention policies for clients and applicants and requiring vendors to commit to not selling any information without express permission.
The approach organizations are encouraged to take is to assume that clients own the data they share or create and to empower clients to decide what services they want to opt into with full disclosure of how their data - individual or aggregate - will be shared. The policy should also address the special risks associated with interactions over the internet: Sensitive and personal information in electronic format should be appropriately encrypted, and the organization should have a policy regarding retention and deletion of such information. Organizations must also have data-sharing policies reflecting these protections and ensure partners with whom they share data abide by their policies and professional responsibilities, including the duty of confidentiality.
The organization should determine whether information that is provided by persons who obtain legal information online is confidential under the ethical rules in its jurisdiction.Any information given by a client or an applicant for the purpose of receiving legal services is confidential under pertinent ethical rules.Limitation regarding the use of personal information might also be defined by state law, and the organization should be aware of what systems are collecting that data and make sure that the way the data is being used and shared is explained in privacy and terms of use policies. Familiarity with local and state protections on personal information (including consumer protection) needs to be developed by the organization's management teams and decision-makers. Persons who provide personal information in the course of obtaining legal information from the organization and who had no expectation or intention of becoming a client of the organization may be subject to the same protections.
This includes when legal aid organizations use Software as a Service (SaaS) tools when working with clients and applicants. The organization should do a review of key data policies, practices, and terms of use to ensure that client data will not be shared nor sold without specific consent from the client, and not made available to external entities, such as law enforcement or other state actors, without client consent and release. Clients should be informed of the risks of the use of those tools with regard to their data.
The organization should protect the information from disclosure, but it may not be able to resist a subpoena or other official request for disclosure. The organization's terms of use of the technology it uses should explain how it will deal with subpoenas, and whether it will disclose to the client a release of information pursuant to a subpoena. The organization should have a policy regarding whether it will retain the personal information it obtained this way, for how long, and with what organizations or outside data users, including courts or online dispute resolution platforms and the like that it may be shared with. Informed consent by the user is usually required by the ethics rules and, even when not required, should be considered before sharing individual data with anyone outside of the organization, including machine learning systems that are used to train an algorithm. As much as possible, an organization should not use systems that automatically opt clients into to data-sharing, even in a pilot. For nonservice analysis and evaluation, the organization might aggregate data in safe database that only staff persons can access.
Budgeting adequate resources for technology. Technology staff should be part of budgeting and strategic planning processes for every organization. An organization should include its technology needs as part of the annual budgeting process. Funds should be allocated for planned major expenditures to maintain and update technology and adopt emerging practices and initiatives. The budget should provide for purchase, maintenance, and support of technologies used in the delivery of services to clients. It should provide adequate funds for internal technology needs, including: 1) regular upgrade and replacement of equipment and software; 2) personnel necessary to maintain networks and equipment; and 3) training and support of staff in the use of technology. This also includes ensuring that data infrastructure, including connections between offices, and, in particular for rural offices, bandwidth and online storage and speed is sufficient and reasonable and does not act as a barrier to using that technology. For organizations that are using cloud-based services and storage, this includes monitoring cloud capacity to ensure that online systems are not slow or lead to disconnects. Technology investments should be planned on a multiyear basis and should include reserve funds to allow for flexibility in taking advantage of new developments and necessary maintenance/upgrades.
Regular maintenance of equipment and software. One result of the rapid changes in the design and capability of technology is that both hardware and software suffer from speedy obsolescence that can only be addressed by regularly updating equipment and software. Budgeting should provide for upgrading equipment on a rotating basis so that all equipment is replaced as new technology standards evolve, or as needed. Maintenance, upgrades, and administrative system patches should be done on a routine basis so the systems and software the organization uses remain updated and are not vulnerable to intrusions. Failure to do so can result in a system that is unable to operate newly developed software that might be instrumental in helping the organization serve its clients more effectively and exposes the organization to back-end hacking and virus insertion.
The persons who are responsible for the organization's technology infrastructure need to be well-qualified for their roles. The organization's leadership needs to understand the business requirements of the organization, the ethical requirements regarding confidences, state consumer law protection requirements, and related technical applications so that it can effectively hire and manage appropriate technology staff.
There are multiple responsibilities that technology personnel need to address, including: 1) management of the servers and network infrastructure; 2) management of all hardware and software; 3) support and training of users of the technology and development of security policies, practices, and protocols; 4) management of organizational databases and system-wide applications, including routine backups and routine system code patches; and 5) management of technologies that are used to assist clients. The organization should consider whether it would be cost-effective to outsource the development, hosting, maintenance, or support of some or all of these technological needs.If outsourcing is considered, the organization should retain technical consultants who have worked with similar organizations and are familiar as much as possible with legal aid obligations, ethics, and practices, and the client community.
The staff or contractors who are responsible for the technology assets of an organization need to have knowledge, skills, and a budget necessary to keep all tools functioning and available to staff who rely on them. Technology personnel need to be capable of managing the organization's databases and case management system as well as accounting and all software in use so staff can make maximum use of the organization's tools and so critical data is not lost.
Using technology to serve clients. An organization should be alert to the ways that emerging technologies can be used to serve clients directly, either by supporting their access to representation or by directly providing legal information and other needed assistance. The organization should budget not only for the equipment and software to support such efforts, but also for the non-technical expenses, such as the personnel necessary for the development and updating of content, end-user support, evaluation, and data analysis of those services.
It is also important that an organization work with others in regional and statewide systems to explore ways that technology may be used collaboratively to strengthen the overall system.An organization should also work with courts and administrative agencies to make certain that their technological requirements, such as mandated remote video trials, conferencing, family mediation, and electronic filing and signatures, for example, function in ways that facilitate access for client populations, including those unable to access them online or with no or little technical literacy or printing capacity.
Training and support of staff in the use of technology. It is critical that the organization plan and budget for technology training and support of all staff, including sufficient support for those who have difficulty adapting to it. Of particular importance is training staff and volunteers on security practices and protocols, to avoid falling victim to hacking and virus insertion attempts to ensure the integrity of the organization’s data infrastructure.