The Legal Aid Commission of Western Australia (Commission) provides legal information, advice, assistance and representation to the public. The type and level of help an individual receives depends on their legal problem, their finances, and the Commission’s resources. The Commission aims to make it easier for people to obtain legal help and resolve their problems as soon as possible. It also tries to find alternatives for clients than going to Court.
The legal aid process includes assessing the eligibility of applicants, whether an applicant should co-contribute to the costs of legal representation and assigning lawyers to represent an applicant. The software application used by the Commission to help process requests for legal aid is called LAW Office. An applicant’s details are entered into LAW Office to assist with assessing the eligibility of applicants to receive legal aid and assigning a lawyer. It also calculates any co-contribution that may be required. The system was co-developed with other Australian Legal Aid Commissions.
In order to qualify for a grant of legal aid the following eligibility tests are applied to each applicant:
- Whether the legal matter is in one of the priority categories that the Commission has to provide aid for or whether appropriate assistance can be obtained elsewhere.
- A means test to determine if the individual can afford a private lawyer, and whether a co-contribution is required.
- Merit test to establish whether the individual’s case is likely to succeed.
In 2013-14, State Government funding for legal aid was $38.150 million and Commonwealth grants and contributions totalled $22.182 million. In this period the Commission received 14 059 applications for legal aid, and approved 71 percent of these requests.
Overall, LAW Office is an effective application for managing legal aid applications. However, some control weaknesses in data validation and supporting processes could result in legal aid being incorrectly or unfairly awarded. Due to a lack of oversight there is also a risk that external firms appointed to provide legal advice may not be meeting defined levels of service or quality. In addition, a number of system and database vulnerabilities were identified. These increase the risk of unauthorised access and sensitive client information being compromised.
The Commission does not have an effective process to validate information and documents provided by individuals applying for legal aid. For example, the Commission accepts an applicant’s declaration of assets and only cross-checks this information on an exception basis. Our own data matching of applicant information with land ownership records found that 63 of the 14 059 applicants owned property they did not declare. The Commission advised that often properties are co-owned with a person who is the opposing party in a legal suit, and these should not be used in means tests.
Without appropriate validation, there is a risk the Commission will provide legal aid to people who are not eligible. But as well, because legal aid funding is limited, any allocation of financial assistance to people who should not qualify for assistance means that more deserving people will miss out.
Decisions and calculations based on unchecked information
The Commission does not have an effective process to review the accuracy and completeness of applicant information recorded in the system. Errors in the applicant’s information or the transcription of the information into the system can impact on the fairness of internal decisions based on this information.
Assessors use LAW Office information when deciding to approve or decline legal aid representation and in assigning lawyers. The system also uses this information to calculate the amount of any client co-contribution. Inaccurate information entered into the system increases the risk of inconsistent or inappropriate decisions by assessors in awarding legal aid. It is also likely to affect the accuracy of the co-contribution amount.
Compensating review processes
Lawyers are able to access the system and enter applications for aid on behalf of their clients. As a control to check that entered information is accurate and complete, the Commission checks the accuracy of a sample of the information entered by firms that provide legal aid services to clients. The review also checks whether lawyers comply with policies and procedures for providing services to clients, and in claiming compensation for services provided.
However, the sample that is checked is small – just five of the 27 private practitioners that the Commission received complaints against in 2014, down from 10 in the previous year. Although this number is relatively small, the Commission also rolled out new private practitioner panel arrangements that set out specific obligations on panel members.
The small sample means that the Commission can give only minimal assurance about the accuracy of information or the quality of service provided to clients. The small sample also impacts on the assurance the Commission can give that the firms accurately charge for legal services they provide.
Security of sensitive information
We performed a vulnerability assessment and database security check on the LAW Office application and the related IT environment. These tests identified a range of weaknesses which increase the risk to the confidentiality, integrity and availability of sensitive client data.
Some of the weaknesses we noted were:
- Software updates not applied – We found that software updates released by the vendor to fix known security issues and weaknesses had not been applied. This may allow attackers to gain unauthorised access to the system and/or information. An effective patching process that keeps software up to date is vital to help protect against cyber and other threats.
- Weak passwords – We also found that a number of database accounts had simple, well-known or easy to guess passwords. If the passwords are obtained or guessed by hackers, they can be used to access the system and information.
- Data is not encrypted – Despite storing a large amount of sensitive client information the Commission had not applied any encryption to stored data. Encryption would help prevent sensitive client details being read by unauthorised individuals.
Human resource security procedures
We identified that the Commission do not require staff or relevant individuals to sign to confirm they understand their obligations when they leave the entity’s employment. By signing this statement, the individual acknowledges that they may no longer access the entity’s systems and may not use any information they became aware of during their employment or engagement for other purposes. The Australia New Zealand Policing Advisory Agency recommends that all relevant individuals sign to acknowledge they understand their obligations when they leave.
We also found that an IT account belonging to a former staff member was still active, although the activity logs showed that their last login was on their last day of employment. This account could have been used to gain unauthorised access to the Commission’s network and the LAW Office application. Without adequate procedures covering all individuals ending their employment or engagement, there is an increased risk of unauthorised system access. This may impact the confidentiality, integrity and availability of sensitive information.
- To reduce the risk of unauthorised access and changes to information, the Legal Aid Commission Western Australia should by September 2015:
a) implement an appropriate and effective patching process. The Commission should also conduct regular vulnerability scanning as defined in its internal policy
b) apply password management controls to ensure that all account passwords follow good practice for access management and comply with internal policy requirements
c) protect sensitive information by considering encryption for data at rest and for backups
d) enhance current exit procedures to ensure staff and contractors are appropriately informed of their IT and information obligations once their engagement ceases. In addition, all IT user access accounts belonging to terminated employees and contractors should be deleted or disabled in a timely manner.
2. To ensure completeness and accuracy of LAW Office information, the Commission should by September 2015:
a) implement appropriate checks to validate each applicant’s information and supporting documentation. This should be supported by an internal review process to give confidence that decisions regarding legal aid allocations are made fairly and appropriately
b) establish a robust and appropriate review process of law firms that it allocates funds to. This should help ensure that the Commission and their clients are receiving appropriate levels of quality and value in contracted services.
The Legal Aid Commission accepts the findings of the audit and would like to express its thanks to the Office of the Auditor General for its efforts and advice. The report highlights the need for ongoing review of systems and processes to ensure that clients receive the most appropriate service and the best possible outcome. Legal Aid will act on the recommendations as a matter of priority to improve the assessment of legal aid applications and reduce the risk of client information being compromised.
 Making your company technology crime resistant, 2014.