UK Online Safety Act - Forums & Chatrooms

[Troutbum]

How are you getting on with your risk assessments?

https://www.ofcom.org.uk/online-saf...how-to-comply-with-the-illegal-content-rules/

 

[fdk]

I've just had a PM about this from another person actually, so glad I looked at this thread.

I work for a charity in the UK that was requested to submit a consultation to the Government about the Online Safety Act. The consultation we submitted was thoughtful, reasoned and well thought-out, and included some exemptions for small websites and non-profit organisations - unfortunately, the Government have given very little in this regard and almost any site that offers either a private messaging feature or an ability for users to comment/interact with other user-generated content will be in scope, which is not ideal.

This being said, over the length of this morning I have been reviewing the actual legislation and OFCOM Code of Practice in detail, and my initial assessment is that this does not place overly onerous duties on a forum admin. The main bulk of the work will be the initial period of conducting your relevant risk assessments. As long as your risk assessments show a low level of risk, which they should do for most small online forums, then your duties at that point become effectively to "be a good admin" - report any serious illegal wrongdoing on your website to the relevant authorities, and take action upon reports of potentially harmful content and have a complaints process in place in this respect.

It's more work sure, but I am not seeing why some are saying this is the "end" of your average joe being able to run his forum without accepting massive liability. This is not the case on my reading of the legislation.

 

[Troutbum]

Those are pretty much my findings and thoughts fdk.

I'm currently about half way through my risk assessment.

 

[ThomasW]

I think the main issue with the whole thing is: It's as usual people, who have no clue about the internet, deciding how the internet should look like or "be run".

It's just creating unnecessary obligations such as doing this risk assessment when we know it won't change anything, because those, which didn't care before, still won't care and those, who did care, already knew what to do.

 

[Al]

I completed mine in about 40 minutes. Its reasonably easy if once you get into a flow. Now I guess I just store this. There is no requirement to submit it anywhere, is there? And it's just something you can roll out should there be a complaint for you to say, "hey, I risk assessed that!"

 

[fdk]

I completed mine in about 40 minutes. Its reasonably easy if once you get into a flow. Now I guess I just store this. There is no requirement to submit it anywhere, is there? And it's just something you can roll out should there be a complaint for you to say, "hey, I risk assessed that!"

From my current understanding, you've pretty much nailed it - although I have a lot of work to do on this to ensure our organisation is fully compliant and have the whole week dedicated to this next week, so I will be sure to come back and update if I find anything else.

According to OFCOM's Code of Practice from what I see you also need to have a complaints procedure that is "readily accessible" (in practice, probably means adding a link to footer), that covers a user's right to complain and request a review of a decision to take down their content/profile or restrict their profile in line with the OSA. Note that it would seem the obligation at initial glance only extends to content removed or restrictions that you put in place directly in order to comply with OSA - so for example, you do not need to provide a "formal review mechanism" for a person who just spams the website (unless that content was otherwise defined within the OSA and might trigger a mandatory report, for example).

Also within your risk assessment you need to nominate a "responsible person" (usually the website owner) who has a formal legal duty to keep the risk assessment under review and comply with the duties to report "priority illegal content". Somebody other than the assessment writer, (although not necessarily a more senior person) also needs to approve the risk assessment.

Finally, I have now found the part in the guidance (note this part is in guidance and not the legislation or more formal "Code of Practice") that suggests OFCOM's expectation is for website owners to fully review and re-authorise their risk assessments at least once a year, and immediately if there is a "significant change in the design or delivery of services".

 

[Al]

Also within your risk assessment you need to nominate a "responsible person" (usually the website owner) who has a formal legal duty to keep the risk assessment under review and comply with the duties to report "priority illegal content". Somebody other than the assessment writer, (although not necessarily a more senior person) also needs to approve the risk assessment.

This here is the only part where many small operations such as a small forum are going to struggle. I am the assessment writer, the responsible person, the owner and the approver. This is not an 'organisation', its a hobby-site, There is no-one else. There is only me. Man, I'm all for keeping kids safe online. I have three of my own, but this nonsense for a small hobby site is just mental.

In reality, I should be doing this for every blog I have too. And there are at least six of them.

 

[fdk]

This here is the only part where many small operations such as a small forum are going to struggle. I am the assessment writer, the responsible person, the owner and the approver. This is not an 'organisation', its a hobby-site, There is no-one else. There is only me. Man, I'm all for keeping kids safe online. I have three of my own, but this nonsense for a small hobby site is just mental.

In reality, I should be doing this for every blog I have too. And there are at least six of them.

Yes - you are absolutely correct.

The assessments are also more rigorous than I initially realised, as the obligation seems to actually be to write an assessment for each of the "17 main identified harms" by OFCOM - this is going to be a lot of work, more than I initially realised, but still not unfeasible.

If you need someone to co-sign assessments, reach out. Always happy to help. EDIT: Also note in this regard, the assessment "approver", nor the assessor themselves, need be a UK resident, of course. EU citizens or citizens from any part of the world for that matter do not seem to be prevented from taking part in assessments, as long as they are "competent" and are undertaking their assessment or approval role in consideration of OFCOM's guidance and Code of Practice.

FYI, blogs are not clearly within the scope of OSA as it appears at the moment. If the site does not have a user-to-user private messaging feature, or doesn't allow users to comment on each other's user-generated content, then it is not in scope. For example, if your blog only allows comments in response to your articles, you will be fine - but if your blog allows users to comment directly in reply to other's comments, this will bring you within scope.

 

[Al]

For example, if your blog only allows comments in response to your articles, you will be fine - but if your blog allows users to comment directly in reply to other's comments, this will bring you within scope.

A simple case of turning off nested comments.

 

[ThomasW]

I don't know if it's just the way I see this, but it seems initially this thread was more like "Not a big deal" and now it's more like "Yeah, this is annoying".