(OSA) received Royal Assent on 26 October 2023 and came partly into force on that date. The OSA is a legislative act passed in the United Kingdom that aims to make online services safer for users. It introduces a new regulatory framework that imposes duties on providers of certain internet services to identify, mitigate, and manage the risks of harm to users.
Here are some key points about the OSA:
Scope: It applies to a range of internet services, including user-to-user services (e.g. ,social media platforms), search services, and certain video-sharing platforms.
Duties of care: Providers are subject to duties of care that require them to take reasonable steps to:
Mitigate the risks of harm from illegal content and activity, and content that is harmful to children.
Protect users' rights to freedom of expression and privacy.
Be transparent and accountable for their actions.
Enforcement: The Office of Communications (Ofcom) is responsible for enforcing the OSA. They have the power to investigate non-compliance, issue fines, and even block access to services in serious cases.
Criticisms: The OSA has been criticized by some for being too vague and potentially infringing on freedom of expression. Others have argued that it does not go far enough in addressing online harms.
It is important to note that the OSA is a complex piece of legislation, and the details are still being debated and interpreted. For more information, you can refer to the following resources:
The full text of the OSA: https://www.legislation.gov.uk/ukpga/2023/50/enacted?view=interweave
Most services will need to do an online safety risk assessment and this duty will come into force once Ofcom has finalised our guidance on illegal content risk assessments, which is expected in Autumn 2024.
You will need to consider how likely it is that your users could encounter illegal content or that your service could be used to commit criminal offences, and what the impact could be. It should help you understand how harm could take place, how your service’s user base, features and other characteristics could increase the risks, and what safety measures you need to put in place to protect people, especially children.
Your assessment should be as accurate as possible. It should be based on relevant information and evidence. The purpose of the assessment is to ensure you understand the risks so you can put in place appropriate safety measures. You also need to keep it up to date.
Step one: Understand the harms:
Identify the illegal harms that need to be assessed
Take into account the list of risk factors published
Step two: Assess the risk of harm:
Consider any other characteristics of your service that may increase or decrease risks of harm
Assess the likelihood and impact of each kind of harm
Assign a risk level for each kind of illegal harm
Consider additional guidance on the risks of certain harms
assess what this means for your specific service.
You need to consider any other characteristics that may increase or decrease risks of harm including user base, design features, algorithmic systems, your business model, any user protection or risk mitigation measures, and other relevant aspects of the service’s design and operation, and the way it is used. You should gather evidence about your service.
Based on this information, you should decide how likely it is that illegal harms could take place on your service and what the impact could be. This will help you decide whether each kind of illegal harm is low, medium or high risk.
Step three: Decide measures, implement and record
Decide on the appropriate online safety measures for your service to reduce risk of harm to individuals
Consider any additional measures that may be appropriate on your service to protect people
Implement all safety measures
Record the outcomes of the risk assessment
Next, you need to decide how to address the risks you have identified, this is part of your related safety duties under the OSA.
You will then need to implement all measures to mitigate and manage risk and record the outcomes of the risk assessment.
Step four: Report, review and update risk assessments
Report on the risk assessment and measures via relevant governance channels
Monitor the effectiveness of mitigation measures
Review (and update) your risk assessment