Is the new SiLAS service secure (Back to top)
We take the security of our services seriously. SILAS has been designed and built in line with UK government and industry best practice for secure development. Security has been included from the ground up, including multi factor authentication, with independent testing activities to validate that the appropriate security controls are in place. A dedicated team will monitor and update the service to ensure it evolves to remain resilient to emerging threats and is supported by a security operations capability.
While no system can be risk free, we are confident that we have taken the right steps to protect the service and its users.
User accounts (Back to top)
User accounts must be set up for each individual accessing SiLAS. An email address cannot be used by multiple users. The email address does not have to be a firm email address (e.g. name@lawfirm.co.uk), however it can only be used by one user and the email address cannot be used to set up any other user accounts.
You do not need to set up multiple accounts for each user if you hold more than one office. You should set up the user under the lead office code and the provider admin will be able to allocate access to any office codes required by that user.
More than one provider admin can be added as is necessary. This will vary depending on the size of your firm, the number of offices held, the volume of work, office policies, etc. We advise a minimum of two provider admins to be added.
User identification verification (Back to top)
Every user that holds an account on SiLAS must have their identity verified prior to being onboarded onto the service. This must be carried out by an individual with authority to represent and bind the organisation. This does not necessarily have to be the Compliance Officer for Legal Practice.
The body undertaking the check must view:
• A valid, in date, government issued photo ID (such as driving licence, passport, biometric residence permit)
• The person being ID’d
The body doing the check should then retain an audit log including:
• The unique number of the ID document
• The name of the person checked
• The date the check was completed
• Any declarations as to likeness or completion of check that the Agency are asking for
The record must be retained for at least as long as the user is active on SiLAS, or otherwise in accordance with your normal data retention policy.
The ID evidence may be requested by the legal aid provider and provided to LAA, usually as part of LAA audit and assurance activity.
There are also instances whereby individuals outside of the organisation, such as costs draftspeople, may have their identification verified by a third party. This is detailed below in the third parties section.
Declarations (Back to top)
A declaration must be provided every time a request for new users is sent to the Legal Aid Agency. If a request covers more than one user, only one declaration is required. You can obtain the official declaration document from your contract manager.
The declaration must be signed by an individual with authority to represent and bind the organisation. This does not necessarily have to be the Compliance Officer for Legal Practice.
A digital or wet signature can be used to sign the declaration.
The declaration may be requested by the legal aid provider and provided to LAA, usually as part of LAA audit and assurance activity.
Additional users (Back to top)
You can make an application to the LAA to create a new user account after the initial upload of users. In order to do this, you must provide a new organogram with the new user details. You must provide a new declaration every time a request for new users is sent.
Acceptable identification for verification purposes (Back to top)
Government issued photo ID such as a passport or driving license must be used to verify the identity of each user. This can be provided in person, or via email.
All photo ID that is used for verification purposes must be current and in date at the time that the declaration is signed.
If a user wants their account to be set up with a preferred name (such as a maiden name), this can be done as long as you are satisfied that their identification matches their legal name,
If a user does not hold any government issued photo ID, then they must provide two copies of non-photographic government issued ID (e.g. birth certificate, paper-based driving licence). If they are not able to provide this then they cannot be onboarded onto the Service.
Third Parties such as Costs Draftspeople (Back to top)
Identification must be obtained for every user onboarded onto SiLAS, including any third parties such as costs draftspeople. They must be included on the “third party” tab on the organogram provided by your contract manager.
Third parties cannot share a generic email address. They must provide a unique email address that has not been used to set up a user account with another firm. This does not have to be a firm email address (e.g. name@lawfirm.co.uk), any generic email provider can be used.
Due to the large number of costs draftspeople that may be used, it is possible for an external company that employs the costs draftspeople to handle the verification of their users on your behalf as long as certain criteria are adhered to.
The external ID checker would rely on an addendum to their Data Processing Agreement (DPA) between the solicitor (Data Controller) and themselves as the Data Processor. The addendum would require the external ID checker, in their capacity as data processors, to validate the identity of individuals who will have access to SiLAS and retain appropriate verification records.
The body undertaking the check must view:
• A valid, in date, government issued photo ID (such as driving licence, passport, biometric residence permit)
• The person being ID’d
The body doing the check should then retain an audit log including:
• The unique number of the ID document
• The name of the person checked
• The date the check was completed
• Any declarations as to likeness or completion of check that the Agency are asking for
The record must be retained for at least as long as the user is active on SiLAS, or otherwise in accordance with their normal data retention policy.
The declaration and ID evidence may be requested by the legal aid provider and provided to LAA, usually as part of LAA audit and assurance activity.
If you wish to adopt the above agreement, you will need to speak to your contract manager to obtain an updated declaration to reflect the above requirements.