Skip to content

Legal AI Compliance: SRA Requirements and Professional Liability Risks

Sotiris SpyrouUpdated on

Share this article

LinkedInXEmail
Legal AI Compliance: SRA Requirements and Professional Liability Risks

The Solicitors Regulation Authority has not written AI-specific rules, and it does not need to: your existing duties already cover AI, and you stay personally responsible for the work. The obligations apply in full: the seven SRA Principles, the Code of Conduct, the UK GDPR, and your professional indemnity cover. This guide sets out exactly which rules bite, where they sit, and where the liability lands.

A quick caveat before the detail. A lot of writing on this topic, including earlier versions of this very page, miscites the SRA framework. Getting the references right matters, because a regulator or a client can check them in seconds. Every rule and source below has been verified against the live SRA, ICO, and court materials.

How the SRA framework applies to AI

Start with what the Principles actually are. The seven SRA Principles (2019 Standards and Regulations) require you to act: (1) in a way that upholds the rule of law and the proper administration of justice; (2) in a way that upholds public trust in the profession; (3) with independence; (4) with honesty; (5) with integrity; (6) in a way that encourages equality, diversity and inclusion; and (7) in the best interests of each client.

Note what is not on that list. Confidentiality, competence, and client service are not Principles. They are duties in the Code of Conduct. That distinction is where most AI-compliance guidance goes wrong, so it is worth being precise.

The SRA's own position on technology is short and clear. In its compliance guidance on AI and technology, it says the client's best interests "must remain at the centre of your decisions about the use of technology." It sets no mandated tools. All technology use stays subject to the Principles and the Code.

Here is how the duties that bite hardest for AI map out.

Duty Where it sits What it requires What AI changes
The seven Principles SRA Principles (2019) Rule of law, public trust, independence, honesty, integrity, EDI, and each client's best interests Every AI decision is judged against all seven
Confidentiality Code of Conduct, para 6.3 Keep client affairs confidential unless the law or the client permits disclosure A far bigger attack surface; needs a lawful basis, a data processing agreement, and no tools that train on your inputs
Competence Code of Conduct, paras 3.2 and 3.3 A competent, timely service, and keeping your own knowledge current You must understand the tool's limits and verify every output it produces
Client service Code of Conduct, paras 3.1 to 3.4 Communicate properly and supervise your team Disclose material AI use, and offer a human-led alternative on request

Confidentiality: Code of Conduct paragraph 6.3

Paragraph 6.3 requires you to keep the affairs of current and former clients confidential, unless disclosure is required or permitted by law or the client consents. AI changes nothing about the duty and everything about the attack surface.

  • Get a clear lawful basis and, where appropriate, client consent before putting confidential information into an AI system.
  • Put a data processing agreement in place with any AI provider, and check where the data is processed and stored.
  • Keep audit trails of what confidential material an AI tool has touched.
  • Treat consumer chatbots that train on your inputs as a confidentiality breach waiting to happen.

Competence: paragraphs 3.2 and 3.3

Paragraph 3.2 says the service you provide must be competent and delivered in a timely way. Paragraph 3.3 says you must keep your own competence and knowledge up to date. Applied to AI, competence runs two ways: you need to understand the law, and you need to understand the tool well enough to supervise it.

  • Know the model's limits, including its tendency to fabricate citations and authorities.
  • Verify every AI-generated output before it reaches a client or a court.
  • Train the people you supervise, because their AI use is still your responsibility under paragraphs 3.1 to 3.4.

Client service: paragraphs 3.1 to 3.4

The service and competence duties in paragraphs 3.1 to 3.4 also cover how you communicate. Where AI materially shapes the advice or the work, tell the client. Be ready to offer a human-led alternative for clients who want one.

Legal AI almost always processes personal data, which brings the UK GDPR and the ICO's Guidance on AI and data protection into play.

Data protection impact assessments

A DPIA is required where processing is likely to result in a high risk to people's rights, and the use of new technologies such as AI is one of the triggers. Your DPIA should describe the processing, test its necessity and proportionality, and assess the risks. If a high risk remains that you cannot reduce, you must consult the ICO before you start.

Protecting privilege

Legal professional privilege can be lost through careless handling. Segregate privileged material, control access tightly, and make sure no AI workflow ships privileged content to a third party that could be compelled to disclose it.

AI-assisted evidence and disclosure

The court rules predate AI but apply to it. Two points matter, and one is commonly stated wrong.

Disclosure in most civil claims runs under CPR Part 31. In the Business and Property Courts, where most commercial disputes sit, disclosure is now governed by Practice Direction 57AD, which took permanent effect on 1 October 2022 and takes precedence there. If your AI-assisted document review is for a B&PC matter, PD57AD is the rule that governs it, not a flat reading of Part 31.

On evidence, Practice Direction 32 sets the foundation requirements that AI-generated material has to meet: reliability, a clear chain of custody, and disclosure of how the material was produced.

Professional indemnity insurance and AI liability

Here is the other claim worth correcting. Solicitors' professional indemnity insurance is not provided by the Solicitors Indemnity Fund. Since 1 September 2000, firms have bought PII on the open market under the SRA Indemnity Insurance Rules and Minimum Terms and Conditions. The Minimum Terms require six years of run-off cover after a firm closes. The Solicitors Indemnity Fund now only provides post-six-year run-off, sitting behind the open-market regime rather than in front of it.

For AI, three things follow:

  • Read your policy for any technology or AI exclusions, and ask your broker directly.
  • Disclose material AI use to your insurer, because non-disclosure can void cover.
  • Remember you remain liable for AI errors. Documented human oversight is your strongest defence on a negligence claim.

What the regulators are signalling

The direction of travel is consistent across the regulators.

The SRA set out its concerns in its risk outlook on AI in the legal market, flagging hallucination, bias, and accountability. The Law Society has published practical material, including Generative AI, the essentials and a guide on generative AI in legal disclosure. The Bar Standards Board's AI guidance makes the same core point for barristers: you stay responsible, and you must check the output.

The courts have already acted on the risk. In Ayinde v London Borough of Haringey, the court dealt with fabricated AI-generated case citations, a reminder that the duty not to mislead the court does not bend for a tool.

A practical compliance framework for law firms

You do not need a new rulebook. You need to fit AI inside the duties you already hold.

  • Governance: name a partner accountable for AI compliance, and review AI use against the Principles and the Code on a set schedule.
  • Risk assessment: run a DPIA and a professional-conduct check before any AI tool touches client work.
  • Verification: require human review of AI outputs, with sign-off recorded.
  • Monitoring: audit outputs for accuracy and bias, and keep your PII disclosure current as your AI use grows.

Frequently asked questions

Does the SRA have specific rules for AI? No. The SRA has not made AI-specific rules. Your existing duties under the SRA Principles and the Code of Conduct apply to AI in full, and you stay responsible for the work.

Which SRA duties matter most for AI? Confidentiality (Code of Conduct paragraph 6.3), competence (paragraphs 3.2 and 3.3), and client service (paragraphs 3.1 to 3.4), alongside the UK GDPR and your professional indemnity obligations.

Do I need a DPIA before using legal AI? Usually yes. The ICO treats new technologies such as AI as a high-risk trigger, so AI that processes personal data will normally require a DPIA, with a duty to consult the ICO if a high risk cannot be reduced.

Am I liable if an AI tool makes a mistake? Yes. You remain responsible for AI-assisted work. Documented human oversight and verification are your strongest protection, and material AI use should be disclosed to your insurer.

Where this leaves you

Legal AI compliance is not a special regime. It is your existing professional duties, applied with care to a tool that fails in unfamiliar ways. Get the references right, keep a human in the loop, and document the oversight.

If you want that mapped to your firm, book an AI compliance review. For the governance thinking behind it, our book Ethical AI: Governing AI Before It Governs You sets out the framework boards and regulated firms are using. For the technical side, see our guide to enterprise AI security assessment.

References

  1. Solicitors Regulation Authority. SRA Principles. https://www.sra.org.uk/solicitors/standards-regulations/principles/
  2. Solicitors Regulation Authority. Code of Conduct for Solicitors, RELs and RFLs (paras 3.1 to 3.4, 6.3). https://www.sra.org.uk/solicitors/standards-regulations/code-conduct-solicitors/
  3. Solicitors Regulation Authority. Compliance tips for solicitors on AI and technology. https://www.sra.org.uk/solicitors/resources/innovate/compliance-tips-for-solicitors/
  4. Solicitors Regulation Authority. The use of artificial intelligence in the legal market (risk outlook). https://www.sra.org.uk/sra/research-publications/artificial-intelligence-legal-market/
  5. Solicitors Regulation Authority. Indemnity Insurance Rules and Minimum Terms and Conditions. https://www.sra.org.uk/solicitors/standards-regulations/indemnity-insurance-rules/
  6. Information Commissioner's Office. Guidance on AI and data protection. https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/artificial-intelligence/guidance-on-ai-and-data-protection/
  7. Information Commissioner's Office. When do we need to do a DPIA. https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/data-protection-impact-assessments-dpias/when-do-we-need-to-do-a-dpia/
  8. Ministry of Justice. CPR Part 31, Disclosure and Inspection of Documents. https://www.justice.gov.uk/courts/procedure-rules/civil/rules/part31
  9. Ministry of Justice. Practice Direction 57AD, Disclosure in the Business and Property Courts. https://www.justice.gov.uk/courts/procedure-rules/civil/rules/part-57a-business-and-property-courts/practice-direction-57ad-disclosure-in-the-business-and-property-courts
  10. Law Society. Generative AI in legal disclosure, a practical guide. https://www.lawsociety.org.uk/topics/civil-litigation/generative-ai-in-legal-disclosure-guide
  11. Bar Standards Board. Technology and innovation. https://www.barstandardsboard.org.uk/about-us/what-we-do/technology-and-innovation.html

Share this article

LinkedInXEmail