The Online Safety Act (OSA) takes a largely systemic approach to how providers of certain user-to-user or search services are to deal with online safety. While the type of content covered by the OSA has become clearer over the course of the OSA's progress through Parliament, fundamental to its risk-based approach is the requirement on in-scope service providers to carry out substantial and ongoing risk assessments to assess the extent of their obligations.
Many providers already carry out various risk assessments, but the OSA will impose new and wider duties around them. As a result, risk assessments will become an even more crucial part of how many digital services are operated.
The OSA and its supporting documentation give only high level indications as to what the various risk assessment duties will entail and how they may be satisfied, though it is already clear that the duties will be both substantial and continuous. Ofcom has already set out its planned approach to risk assessments under the OSA and it has indicated that it expects any risk assessment process to include steps to establish the context, assess the risks, decide and implement measures accordingly, and to include a process of review and updating (see more on Ofcom's approach here).
A sensible and commonly accepted approach will be vital both to providers knowing how they can comply and to acceptance of the new regime by all stakeholders, including the general public.
The obligations will be part of the relevant service providers' duties which will include the following, matching the three categories which appear throughout the OSA:
Providers will be obliged to consider risk profiles for their type of service developed by Ofcom (discussed below), then apply those specifically to how their service operates. This includes how the technology operates, the functionality it offers (defined according to a lengthy list of features) and how the design and operation of the whole service may increase or reduce risks.
This goes beyond consideration of the technology and extends into analysis of how the service is used and by whom, how likely the users in question are to encounter the regulated content and the nature and severity of the possible harm if they do. It will also look at the provider's governance systems and even its whole business model.
Providers will also have to both keep records of risk assessments and supply copies to Ofcom.
The first set of risk assessments are to be carried out by the regulator, Ofcom, to "identify, assess and understand" the risks of harm regulated services may give rise to. These risk assessment profiles will follow the same categories. Ofcom then has to prepare "risk profiles" for different types of service. These will partly be based on the Ofcom risk assessment profiles, but also on a catch-all phrase, the "characteristics of the services". Ofcom will be required to produce guidance to accompany the risk profiles.
Although the intention appears to be that Ofcom's risk assessment profiles will be of types of service rather than those offered by specific providers, "characteristics" of services include elements which sound specific to particular services. These include their functionalities, governance, business model and user base. As with other parts of the incoming OSA, the drafting lacks detail, but the intention seems clear; Ofcom will have a broad discretion to decide what risks there might be.
Risk assessments which factor in the Ofcom risk profiles are to be carried out by providers of user-to-user and search services. All services must carry out the assessments of illegal content risks and whether children are able to access the service.
All Category 1 services must conduct adult user empowerment risk assessments.
Where the service is "likely to be accessed by children" (a test for which is set out in the OSA), the service provider must carry out risk assessments in respect of content harmful to children. We discuss children's risk assessments in more detail here.
The systemic approach depends upon a continual process of risk assessment, both by Ofcom and service providers. Both are under an obligation to keep their risk assessments up to date and so this is to be seen as an ongoing process, requiring specific dedicated resource within an organisation, rather than something that can be carried out once and has then been satisfied.
Providers will also have to conduct risk assessments at specific times:
Ofcom set out its planned approach to risk assessments under the Online Safety Bill in March 2023. Its proposed approach to risk across the online safety regime will be framed to achieve that:
Ofcom says its guidance will cover the kinds of evidence to be considered in risk assessments and what is likely to meet the requirement that assessments are "suitable and sufficient" for different types of organisation – larger services are likely to have a higher bar to meet in this respect. To that end, Ofcom plans to outline an additional set of evidence inputs for services which need to consider a range of sources of evidence to inform their risk assessments.
While recognising there is no 'one size fits all' approach, Ofcom says a good risk assessment should help a service anticipate and address the ways in which its users could be exposed to greater risks of harmful content. Helpful questions might include:
Ofcom has developed a four-step process which can be applied by services of all types and sizes:
Going forward, Ofcom says it is working with service providers and regulatory counterparts to help improve risk assessment coherence under different regimes, notably, the EU's Digital Services Act.
Much of Ofcom's approach to risk assessments has been informed by its role under other principles-based legislation, as well as by a wide-ranging literature review. It says it has learned from a review of best practice and industry standards, that good risk management is not a single process but a broader approach by companies which puts risk-awareness at the forefront of decision making – a culture or risk-awareness and prioritisation by all teams across an organisation. Ofcom also refers to the importance of internationally recognised risk governance standards (eg ISO 31000 and the Three Lines Model) in helping with a risk-focused culture as a fundamental part of an organisation's governance and leadership.
The design of risk profiles and risk assessments will be among the first steps in implementing the new online safety regime. This will be a major task both for Ofcom and for service providers but in order that risks and potential mitigations are properly understood, it will be crucial for service providers to be prepared to engage with the process from the outset.
Louise Popple provides a table summary of the main obligations under the OSA.
1 of 9 Insights
Louise Popple looks at the range of businesses caught within the scope of the OSA.
2 of 9 Insights
Xuyang Zhu and Danielle Owusu give an overview of safety duties in relation to the different types of illegal and harmful content covered by the OSA.
3 of 9 Insights
Megan Lukins looks at the application of the OSA to user-to-user content likely to be accessed by children.
4 of 9 Insights
Debbie Heywood looks at Ofcom's wide range of duties and powers under the Online Safety Act.
5 of 9 Insights
Debbie Heywood looks at what to expect from Ofcom as its powers under the Online Safety Act commence.
6 of 9 Insights
Miles Harmsworth takes a high level look at some of the key overlaps and differences that in-scope digital service providers will need to consider under both regimes.
7 of 9 Insights
Timothy Pinto asks whether the OSA has found the right balance between protecting freedom of expression, privacy, journalistic content and content of democratic importance, and protecting online users.
9 of 9 Insights