The UK's Online Safety Act (OSA) came into force on 26 October 2023, but much of the detail around compliance is to be set out in Codes of Practice and guidance produced by Ofcom. Ofcom published the first in a set of consultations on the OSA covering illegal content in November 2023. Annex 6 of the consultation contains draft guidance on record keeping and review.
The draft guidance in Annex 6 (guidance) is intended, once final, to assist service providers with understanding the expectations around maintaining records of measures taken to comply with relevant duties under the OSA. Maintaining records and regularly reviewing them will simultaneously allow service providers to keep track of their compliance with applicable duties and allow Ofcom to monitor compliance.
The guidance addresses duties specifically set out in sections 23 (user-to-user services) and 34 (search services) of the OSA, which are:
Record keeping duties
To maintain written records of:
Category 1 services also have to keep records of adult user empowerment risk assessments, Category I and 2A search services have a duty to supply records of their risk assessments or revisions of them to Ofcom.
Review duties
To conduct:
Each of these are considered below.
The guidance does not address the record keeping duties which apply to providers of pornographic content services (set out in Ofcom's recently published separate guidance for providers publishing pornographic content here), or written records of children's access assessments and risk assessments (which Ofcom aims to publish in March 2024).
Ofcom initially establishes some key guidelines on written records. Service providers are instructed to maintain records which are:
Ofcom sets out what service providers need to do when making and keeping written risk assessment records. All service providers are required to maintain written records of each illegal content and children's risk assessment they undertake. Records need to include details of how the risk assessment was conducted and its findings, which should cover how the service has considered Ofcom's risk profiles, what evidence was used to assess risks, and any outcomes identified.
In Ofcom's view, services should be making records as the assessments are being undertaken and should be able to disclose the assessment to Ofcom as soon as it has concluded. Therefore, following a new written record (or revision of an existing record) of an illegal content risk assessment, or children's risk assessment, any Category 1 user-to-user service provider and Category 2A search service provider must promptly provide the full written record to Ofcom electronically to Ofcom's published email address.
Ofcom sets out that risk assessments must contain details of:
The record of the risk assessment also needs to include specifics of how the service provider undertook the risk assessment, including:
Ofcom's Table A6.1 details relevant duties for service providers. If a service provider adopts measures established in a Code of Practice in compliance with one or more of these relevant duties, a written record should be promptly maintained. This record must include:
Ofcom's Codes of Practice contain recommended measures that service providers can take to comply with applicable duties. Service providers which implement Codes of Practice will be presumed to be in compliance with the OSA in relation to the issues covered by the relevant Code. They may, however, take (or already have in place) alternative compliance measures, in which case they should promptly maintain a written record covering:
If the alternative measures are adopted to comply with safety measures which relate to illegal content and protection of children duties, the written record must identify whether the alternative measures have been taken in every area listed in Table A6:2 of the guidance. This will include regulatory compliance and risk management, design functionalities and algorithms, content moderation procedures and a range of other information.
The guidance then establishes that service providers must regularly review compliance against each online safety duty set out in Table A6.3, or as soon as possible following a significant change to a service's design or operation.
Reviews need to be conducted at regular intervals allowing for ongoing monitoring, implementation, and review, considering the nature of the service, the relevant online safety duties that apply to them (identified in table A6.3), the most recent risk assessment findings, and the outcome of the last compliance review undertaken.
Ofcom recommends that, at minimum, a review should be undertaken at least once a year. However, if a significant change to the operation of the service is implemented, compliance concerns arise, or a new measure is implemented, it may be appropriate to expedite the review process and conduct reviews more frequently than this.
This draft guidance provides useful insights and clarity as to how service providers can document the processes and measures they have in place to comply with the OSA. Usefully, there is some flexibility to deviate from prescribed Codes of Practice, provided that a service provider can document and justify the approach taken in accordance with the specific duties that apply. Overall, service providers should keep in mind that Ofcom expects risk assessments to be clear, transparent, available for review, and re-assessed regularly (particularly if a service offering undergoes changes in how it operates).
You can access Part 1 of our Interface content on the OSA here, Part 2 here, and our full range of content on the OSA and the DSA here.
Debbie Heywood looks at what user-to-user services must include in relevant terms of service under the Online Safety Act.
1 / 7 观点
Louise Popple provides a table comparing obligations under the UK's Online Safety Act and the EU's Digital Services Act.
2 / 7 观点
Debbie Heywood looks at how to make sense of Ofcom's provisional views on ways user-to-user services can comply with their OSA safety duties relating to illegal harms.
3 / 7 观点
Xuyang Zhu looks at Ofcom's draft guidance on carrying out illegal content risk assessments.
4 / 7 观点
Margarita Taliadoros looks at the implications of Ofcom's draft guidance on identifying illegal content regulated under the OSA.
6 / 7 观点
Debbie Heywood looks at what the ICO's Children's Code and the Online Safety Act mean by the term "likely to be accessed by children" and at overlaps and differences in requirements.
7 / 7 观点
返回