Record keeping and review requirements under the UK's Online Safety Act – Ofcom's views

The UK's Online Safety Act (OSA) came into force on 26 October 2023, but much of the detail around compliance is to be set out in Codes of Practice and guidance produced by Ofcom.  Ofcom published the first in a set of consultations on the OSA covering illegal content in November 2023. Annex 6 of the consultation contains draft guidance on record keeping and review.

The draft guidance in Annex 6 (guidance) is intended, once final, to assist service providers with understanding the expectations around maintaining records of measures taken to comply with relevant duties under the OSA. Maintaining records and regularly reviewing them will simultaneously allow service providers to keep track of their compliance with applicable duties and allow Ofcom to monitor compliance.

What are the record keeping and review duties under the OSA?

The guidance addresses duties specifically set out in sections 23 (user-to-user services) and 34 (search services) of the OSA, which are:

Record keeping duties

To maintain written records of:

• risk assessments
• measures taken to comply with a relevant duty (as described in a Code of Practice), and
• alternative measures taken and how such measures fulfil the relevant duty (if a measure established in a Code of Practice has not been adopted).

Category 1 services also have to keep records of adult user empowerment risk assessments, Category I and 2A search services have a duty to supply records of their risk assessments or revisions of them to Ofcom.

Review duties

To conduct:

• regular reviews of compliance with relevant online safety duties, and
• as soon as practicable following a significant change to the design or operation of a service, review compliance with the relevant online safety duties.

Each of these are considered below.

The guidance does not address the record keeping duties which apply to providers of pornographic content services (set out in Ofcom's recently published separate guidance for providers publishing pornographic content here), or written records of children's access assessments and risk assessments (which Ofcom aims to publish in March 2024).

Guidance on written records

Ofcom initially establishes some key guidelines on written records. Service providers are instructed to maintain records which are:

• Durable and accessible: made and kept on a durable medium of the provider's choice which can easily and quickly be provided to Ofcom when necessary
• Easy to understand: legible and written in clear English (or Welsh, if the provider is based in Wales) language without unnecessary jargon or shorthand, and
• Up to date: in line with the current risk assessment and identifying any updates made, with earlier versions retained to demonstrate historic compliance.

Making and keeping written records of risk assessments

Ofcom sets out what service providers need to do when making and keeping written risk assessment records. All service providers are required to maintain written records of each illegal content and children's risk assessment they undertake. Records need to include details of how the risk assessment was conducted and its findings, which should cover how the service has considered Ofcom's risk profiles, what evidence was used to assess risks, and any outcomes identified. 

In Ofcom's view, services should be making records as the assessments are being undertaken and should be able to disclose the assessment to Ofcom as soon as it has concluded.  Therefore, following a new written record (or revision of an existing record) of an illegal content risk assessment, or children's risk assessment, any Category 1 user-to-user service provider and Category 2A search service provider must promptly provide the full written record to Ofcom electronically to Ofcom's published email address.

Risk assessment content

Ofcom sets out that risk assessments must contain details of:

• the service that the risk assessment applies to
• the date the risk assessment was completed
• dates of any reviews or updates undertaken
• the individual who completed the risk assessment, and
• the person who approved or had oversight of the findings.

The record of the risk assessment also needs to include specifics of how the service provider undertook the risk assessment, including:

• confirmation that Ofcom's risk profiles were consulted (which can be done by recording the outcomes of the risk profiles questionnaire, provided in Appendix A of the Services Risk Assessment Guidance)
• recording risk factors from Ofcom’s risk profiles that are relevant to the regulated provider’s service
• listing additional characteristics considered (if applicable)
• details of evidence around likelihood and impact of each priority illegal harm
• levels of risk assigned to each kind of illegal harm and any relevant non-priority illegal harm, alongside an explanation of the decision
• acknowledgement that the findings have been reported via the appropriate governance channel, and
• appropriate steps taken to ensure the assessment is kept current and up-to-date.

Records of measures taken in compliance with a duty recommended in a Code of Practice

Ofcom's Table A6.1 details relevant duties for service providers.  If a service provider adopts measures established in a Code of Practice in compliance with one or more of these relevant duties, a written record should be promptly maintained. This record must include:

• a description of the measure
• the relevant Code of Practice, and
• the date the measure takes effect.

Records of alternative measures

Ofcom's Codes of Practice contain recommended measures that service providers can take to comply with applicable duties. Service providers which implement Codes of Practice will be presumed to be in compliance with the OSA in relation to the issues covered by the relevant Code.  They may, however, take (or already have in place) alternative compliance measures, in which case they should promptly maintain a written record covering:

• applicable measures in a Code of Practice that have not been taken or are not in use
• the alternative measures taken or in use
• how those alternative measures comply with the duty in question, and
• how the provider has complied with section 49(5) (freedom of expression and privacy).

If the alternative measures are adopted to comply with safety measures which relate to illegal content and protection of children duties, the written record must identify whether the alternative measures have been taken in every area listed in Table A6:2 of the guidance.  This will include regulatory compliance and risk management, design functionalities and algorithms, content moderation procedures and a range of other information.

Reviewing compliance

The guidance then establishes that service providers must regularly review compliance against each online safety duty set out in Table A6.3, or as soon as possible following a significant change to a service's design or operation.

Reviews need to be conducted at regular intervals allowing for ongoing monitoring, implementation, and review, considering the nature of the service, the relevant online safety duties that apply to them (identified in table A6.3), the most recent risk assessment findings, and the outcome of the last compliance review undertaken.

Ofcom recommends that, at minimum, a review should be undertaken at least once a year. However, if a significant change to the operation of the service is implemented, compliance concerns arise, or a new measure is implemented, it may be appropriate to expedite the review process and conduct reviews more frequently than this.

Recommendations

This draft guidance provides useful insights and clarity as to how service providers can document the processes and measures they have in place to comply with the OSA. Usefully, there is some flexibility to deviate from prescribed Codes of Practice, provided that a service provider can document and justify the approach taken in accordance with the specific duties that apply. Overall, service providers should keep in mind that Ofcom expects risk assessments to be clear, transparent, available for review, and re-assessed regularly (particularly if a service offering undergoes changes in how it operates).

You can access Part 1 of our Interface content on the OSA here, Part 2 here, and our full range of content on the OSA and the DSA here.