How are you getting on with your risk assessments?

 

https://www.ofcom.org.uk/online-safety/illegal-and-harmful-content/check-how-to-comply-with-the-illegal-content-rules/

I've just had a PM about this from another person actually, so glad I looked at this thread.

 

I work for a charity in the UK that was requested to submit a consultation to the Government about the Online Safety Act. The consultation we submitted was thoughtful, reasoned and well thought-out, and included some exemptions for small websites and non-profit organisations - unfortunately, the Government have given very little in this regard and almost any site that offers either a private messaging feature or an ability for users to comment/interact with other user-generated content will be in scope, which is not ideal.

 

This being said, over the length of this morning I have been reviewing the actual legislation and OFCOM Code of Practice in detail, and my initial assessment is that this does not place overly onerous duties on a forum admin. The main bulk of the work will be the initial period of conducting your relevant risk assessments. As long as your risk assessments show a low level of risk, which they should do for most small online forums, then your duties at that point become effectively to "be a good admin" - report any serious illegal wrongdoing on your website to the relevant authorities, and take action upon reports of potentially harmful content and have a complaints process in place in this respect.

 

It's more work sure, but I am not seeing why some are saying this is the "end" of your average joe being able to run his forum without accepting massive liability. This is not the case on my reading of the legislation.

Those are pretty much my findings and thoughts fdk.

 

I'm currently about half way through my risk assessment.

I think the main issue with the whole thing is: It's as usual people, who have no clue about the internet, deciding how the internet should look like or "be run".

 

It's just creating unnecessary obligations such as doing this risk assessment when we know it won't change anything, because those, which didn't care before, still won't care and those, who did care, already knew what to do.

I completed mine in about 40 minutes. Its reasonably easy if once you get into a flow. Now I guess I just store this. There is no requirement to submit it anywhere, is there? And it's just something you can roll out should there be a complaint for you to say, "hey, I risk assessed that!"

I completed mine in about 40 minutes. Its reasonably easy if once you get into a flow. Now I guess I just store this. There is no requirement to submit it anywhere, is there? And it's just something you can roll out should there be a complaint for you to say, "hey, I risk assessed that!"

 

From my current understanding, you've pretty much nailed it - although I have a lot of work to do on this to ensure our organisation is fully compliant and have the whole week dedicated to this next week, so I will be sure to come back and update if I find anything else.

 

According to OFCOM's Code of Practice from what I see you also need to have a complaints procedure that is "readily accessible" (in practice, probably means adding a link to footer), that covers a user's right to complain and request a review of a decision to take down their content/profile or restrict their profile in line with the OSA. Note that it would seem the obligation at initial glance only extends to content removed or restrictions that you put in place directly in order to comply with OSA - so for example, you do not need to provide a "formal review mechanism" for a person who just spams the website (unless that content was otherwise defined within the OSA and might trigger a mandatory report, for example).

 

Also within your risk assessment you need to nominate a "responsible person" (usually the website owner) who has a formal legal duty to keep the risk assessment under review and comply with the duties to report "priority illegal content". Somebody other than the assessment writer, (although not necessarily a more senior person) also needs to approve the risk assessment.

 

Finally, I have now found the part in the guidance (note this part is in guidance and not the legislation or more formal "Code of Practice") that suggests OFCOM's expectation is for website owners to fully review and re-authorise their risk assessments at least once a year, and immediately if there is a "significant change in the design or delivery of services".

Also within your risk assessment you need to nominate a "responsible person" (usually the website owner) who has a formal legal duty to keep the risk assessment under review and comply with the duties to report "priority illegal content". Somebody other than the assessment writer, (although not necessarily a more senior person) also needs to approve the risk assessment.

 

This here is the only part where many small operations such as a small forum are going to struggle. I am the assessment writer, the responsible person, the owner and the approver. This is not an 'organisation', its a hobby-site, There is no-one else. There is only me. Man, I'm all for keeping kids safe online. I have three of my own, but this nonsense for a small hobby site is just mental.

 

In reality, I should be doing this for every blog I have too. And there are at least six of them.

This here is the only part where many small operations such as a small forum are going to struggle. I am the assessment writer, the responsible person, the owner and the approver. This is not an 'organisation', its a hobby-site, There is no-one else. There is only me. Man, I'm all for keeping kids safe online. I have three of my own, but this nonsense for a small hobby site is just mental.

 

In reality, I should be doing this for every blog I have too. And there are at least six of them.

 

Yes - you are absolutely correct.

 

The assessments are also more rigorous than I initially realised, as the obligation seems to actually be to write an assessment for each of the "17 main identified harms" by OFCOM - this is going to be a lot of work, more than I initially realised, but still not unfeasible.

 

If you need someone to co-sign assessments, reach out. Always happy to help. EDIT: Also note in this regard, the assessment "approver", nor the assessor themselves, need be a UK resident, of course. EU citizens or citizens from any part of the world for that matter do not seem to be prevented from taking part in assessments, as long as they are "competent" and are undertaking their assessment or approval role in consideration of OFCOM's guidance and Code of Practice.

 

FYI, blogs are not clearly within the scope of OSA as it appears at the moment. If the site does not have a user-to-user private messaging feature, or doesn't allow users to comment on each other's user-generated content, then it is not in scope. For example, if your blog only allows comments in response to your articles, you will be fine - but if your blog allows users to comment directly in reply to other's comments, this will bring you within scope.

For example, if your blog only allows comments in response to your articles, you will be fine - but if your blog allows users to comment directly in reply to other's comments, this will bring you within scope.

A simple case of turning off nested comments.

I don't know if it's just the way I see this, but it seems initially this thread was more like "Not a big deal" and now it's more like "Yeah, this is annoying". :ROFLMAO:

I don't know if it's just the way I see this, but it seems initially this thread was more like "Not a big deal" and now it's more like "Yeah, this is annoying". :ROFLMAO:

 

Absolutely - the initial reading was definitely (in my view, anyhow) that this was nothing more than a minor inconvenience.

 

Having read a lot more of the detail and OFCOM's expectations, my view has started to change ever so slightly, in the sense that I believe there's been a massive error in not offering exemptions to small websites run by a single "hobbyist" essentially. As you rightly previously stated, crap admins are simply going to either not bother with the requirements, get ChatGPT to write their assessments, or block UK access to their sites. The good admins will already have had consideration of Online Safety and for the most part will have these risk assessments in place informally anyway, asking them to put it onto paper is just causing administrative headache for your regular joe hobbyist.

 

The further problem is that the nominating of a "responsible person" who's duty is to report "priority illegal content" is worrying to me having studied the legislation in further detail. This is because the legislation provides for criminal liability for this "responsible person" for illegal content on the site, in certain circumstances. This could potentially lead to an admin who is perhaps careless, but not necessarily reckless or neglectful (in the legal sense of the word) being held criminally liable for content on their website.

 

I'm also really mindful that the implementation dates of some of the measures of the Online Safety Act have been somewhat rushed, not announced very well and in many respects have not given website owners, especially small websites, enough time to seek the necessary advice, expertise and assistance in order to become compliant. For example, it looks like this guidance and Code of Practice was published in December 2024, with implementation dates set for 16th March - I myself only realised the implementation date was this soon yesterday, so am now in a huge panic knowing that I have the whole of next week assisting the national charity organisation I work for to become compliant with this Act.

 

It's also not been explained to joe public very well that the Online Safety Act brings almost any website that offers service to UK consumers into scope. Even if you're an American or Australian website, if your website "has a significant number of UK users" or "has UK users as one of it's target markets", you're in scope and must comply. OFCOM provides further guidance on this significant number of UK users part, stating that a "significant number" need not be a majority, or even a small minority, but simply "more than an occasional UK user". It also does not matter whether or not the UK users are registered members of the site or not - the fact that they can access the site and there are a significant amount brings the site into scope.

 

While I don't see that all of this will be enacted rigorously in this way for small websites with a couple hundred visitors, and completely understand the need for the crackdown on "Big Tech" and their associated chums, for all these reasons I really do think the Government have significantly erred in not offering some limited exemptions, and whilst I personally do still feel that it is an overreaction of some to suggest that they need to either shut their websites down or block UK access to them, I do understand why some who might read the legislation or OFCOM Codes in isolation might think that this is simply too much personal risk involved.

 

I'm wondering if at some point it might be useful for me to write a really detailed guide on this subject, however, not sure how useful this will be given that the deadline date for implementation is 16th March. That being said, it's worth noting for anyone with a project in the pipeline - legislation now says that any service in scope that is online prior to 16th March must have it's risk assessments completed and in place by that date, but if the service launches after 17th March, the service will have 3 months in order to prepare it's assessments and come into compliance with the Act.

I'll be honest I don't really know what the whole thing is about, but based on experience with all those kind of regulations, the small ones are the ones that suffer the most.

 

Companies like FB etc. have lawyers to deal with that and tools already in place that may just need some tweaking. For any small website owner it's just pain in the ass that simply wasn't needed.

 

I don't know where I read this, but someone said something along those lines "You want to target Big Companies... you will end up with just Big Companies". This is obviously massive exaggeration, but it will 100% affect the number of independent small websites/communities which could be created, but won't.

This is like the same shit happening as when they've announced the GDPR law years ago. The internet was chaotic with people not knowing what it would entail for them. Has anything really changed ? Did we have to adapt to GPPR? Yes, maybe for account deletions. But that's been a part of forums for ages already.

So, personally, I don't worry about it much.

 

I understand it, we need to protect our minors, but we don't see any minors on forums anyway.

This is like the same shit happening as when they've announced the GDPR law years ago. The internet was chaotic with people not knowing what it would entail for them. Has anything really changed ? Did we have to adapt to GPPR? Yes, maybe for account deletions. But that's been a part of forums for ages already.

So, personally, I don't worry about it much.

 

I understand it, we need to protect our minors, but we don't see any minors on forums anyway.

I think GDPR didn't require any kind of risk assessment or other BS of similar kind, did it?

 

The whole issue here is... It's doable, but why would a hobbyist, who runs the forum for fun and doesn't get anything out of it, do it.

 

This will do f all in regards to protecting minors. If they really wanted to do something, they should have either ban "social media" entirely or make it 18+ and make sure that the companies, who run those, enforce it. They have both the money and technology to do it.

 

Could such restrictions be bypassed? Yes, they could, but it would have more impact than requiring an average Joe, running a forum with maybe not even one minor user registered, to jump through hoops.

I think GDPR didn't require any kind of risk assessment or other BS of similar kind, did it?

 

The whole issue here is... It's doable, but why would a hobbyist, who runs the forum for fun and doesn't get anything out of it, do it.

 

This will do f all in regards to protecting minors. If they really wanted to do something, they should have either ban "social media" entirely or make it 18+ and make sure that the companies, who run those, enforce it. They have both the money and technology to do it.

 

Could such restrictions be bypassed? Yes, they could, but it would have more impact than requiring an average Joe, running a forum with maybe not even one minor user registered, to jump through hoops.

It's more than likely some kind of hidden tax or ability to fine those larger companies. I really doubt they'll come after hobbyist forums who can show that they don't allow minors and have no cases in the first place.

 

They can't possibly control the whole internet. It's just going to be a case-by-case situation, I think. I just wouldn't allow minors on my forums to begin with. Keep that in your terms of service, and that's a good start.

 

Furthermore, I wonder as a Belgian running this forum - IF such case would arise here - how they'd handle it, as it's a UK law. But we have many UK members. It's impossible to know and impossible to be fully prepared I think.

 

Speaking of preparations, this is from someone on the XF forums who made his risk assessment:

 

[TABLE width=100%]

[TR]

[td width=10%]Risk[/td][td width=10%]Relevant Illegal Content[/td][td width=10%]Risk Level[/td][td width=35%]Evidence and Reasoning[/td][td width=35%]Mitigation Measures[/td]

[/TR]

[TR]

[td width=10%]User Generated Content[/td][td width=10%]Hate Speech, Harassment, CSEA, Terrorism, etc.[/td][td width=10%]Negligible[/td][td width=35%]Users can post content, but the community is small and moderation carried out regularly. Evidence: Low volume of user reports, active (DBS checked) moderator presence, clear community guidelines. There have been no incidents in 17 years. Users engaging in harmful behaviour would be immediately banned and any identified illegal behaviour reported to law enforcement agencies.[/td][td width=35%]N/A[/td]

[/TR]

[TR]

[td width=10%]Anonymity[/td][td width=10%]Harassment, Trolling, Illegal Content Sharing[/td][td width=10%]Negligible[/td][td width=35%]Users cannot post anonymously.[/td][td width=35%]N/A[/td]

[/TR]

[TR]

[td width=10%]User Connections[/td][td width=10%]Grooming, Harassment, Coercive Behavior[/td][td width=10%]Low[/td][td width=35%]Users can connect, but the community is small and connections may be limited. Evidence: Low number of user-to-user connections.

 

Private messages are not available until users have posted publicly and known to have a legitimate interest in the forum topic as a professional, educator or hobbyist.

 

Nor are private messages available to children. With or without effective age verification this would include any potential groomer posing as a child.

 

A very obvious and simple to use effective private message report system is enabled and monitored regularly.[/td][td width=35%]Monitor user interactions: Implement non-intrusive systems to detect and flag suspicious patterns of user interaction (e.g., excessive private messaging between adults and minors without infringing on privacy).

 

Implement blocking features: Allow users to block other users who engage in harmful behavior.

 

Educate users: Provide information and resources on online safety and how to identify and report grooming or coercive behavior.[/td]

[/TR]

[TR]

[td width=10%]Lack of Age Verification[/td][td width=10%]CSEA, Exposure to Harmful Content[/td][td width=10%]Medium[/td][td width=35%]Any content that is inappropriate for children is removed via regular monitoring or reports. Any users that post such content are subject to disciplinary action and, depending on the severity, would be banned and if content was deemed to be illegal would be immediately reported to law enforcement agencies.[/td][td width=35%]Consider age verification measures: Explore options for age verification (e.g., self-declaration, third-party verification services) while balancing privacy and accessibility concerns.[/td]

[/TR]

[/TABLE]

I think GDPR didn't require any kind of risk assessment or other BS of similar kind, did it?

 

The whole issue here is... It's doable, but why would a hobbyist, who runs the forum for fun and doesn't get anything out of it, do it.

 

This will do f all in regards to protecting minors. If they really wanted to do something, they should have either ban "social media" entirely or make it 18+ and make sure that the companies, who run those, enforce it. They have both the money and technology to do it.

 

GDPR was certainly nowhere near as onerous at this has the potential to be, that much is for certain.

 

Agree on the sentiment about it not being necessarily a targeted and effective enough tool to protect minors too.

 

 

It's more than likely some kind of hidden tax or ability to fine those larger companies. I really doubt they'll come after hobbyist forums who can show that they don't allow minors and have no cases in the first place.

 

They can't possibly control the whole internet. It's just going to be a case-by-case situation, I think. I just wouldn't allow minors on my forums to begin with. Keep that in your terms of service, and that's a good start.

 

Furthermore, I wonder as a Belgian running this forum - IF such case would arise here - how they'd handle it, as it's a UK law. But we have many UK members. It's impossible to know and impossible to be fully prepared I think.

 

You have to consider that the Online Safety Act doesn't only apply if you have children on your site - even if there are no children are ever present on Administrata, that does not mean it is out of scope.

 

You're absolutely correct in that the main sanctions directly offered by the Online Safety Act are huge fines. Well actually, they aren't huge fines - they're 5%/10% of annual turnover for a website. Huge for Meta or Google, but for Administrata, it'd be a hundred bucks or so I'd imagine. The more worrying thing is the actual sections of the legislation that confer legal responsibilities onto website owners for some "priority illegal content" on their service, as I previously mentioned. This will eventually lead to the possibility of criminal sanctions for individuals who run websites, if a nefarious actor uses their service for a malicious purpose.

 

You're right - the reach of the UK authorities will be limited by the fact that you're Belgian - for example, I don't imagine the Belgian authorities would be quick to agree to any sort of extradition request or anything (and of course, this is an absurdly unlikely scenario), but they could take action such as get UK court orders for ISPs to block access to certain non-compliant websites.

 

Sure - this is an unlikely occurrence, but imagine a scenario (which we all see on true crime TV) where somebody comes to harm as a result of somebody using an online service that I'm personally responsible for for a nefarious purpose. The law has conferred on me a responsibility essentially to "protect" visitors to my website. Now let's say something out of my control but disastrous happens - even if I am able to legally defend myself, what will the court of public opinion, media, newspapers etc do or think?

 

There is too much liability in society in this day. For this reason, am I to ever own a website again that comes into OSA scope, I will 100% complete everything on that OFCOM checklist to protect myself.

Planning to do my risk assessment this weekend.

 

I've already had a look at the requirements, and I have a rough idea of what I'm going to say... just need to put pen to paper.

 

It's annoying - but once that's done, I believe all I have to do is to continue what I've been doing for the past 15 years anyway :P .

Huge for Meta or Google, but for Administrata, it'd be a hundred bucks or so I'd imagine.

At the current time, they would be paying us!

I just saw this:

 

https://www.thehamsterforum.com/ams/forum-closure.79/

 

It is with huge sadness that the forum has closed on 16th March 2025. A lot of forums are having to close due to the huge requirements of the new legislation - the Online Safety Act. While this forum has always been perfectly safe, we were unable to meet the compliancy. As a small forum, we were unable to afford lawyers or fees for legal age validation. The care guide articles are still available to view on this page - please enjoy and hopefully they are of help. Former members are now on Instagram. Instagram address on photo.

 

Note: All former memberships have been deleted, removing all personal information as per GDPR.

 

This is of course, a huge overreaction by this admin.

Massively so. Martyrdom or using it as an excuse because they don’t want to run it anymore? Someone can correct me if they wish. But this legislation would come into effect if someone made a complaint about your site. You would have to show you had complied with their checklist. And, if found to be ‘guilty’ the punishment is a %age of revenue from the site. As a hobby site with expenses and no profit they can fine me 100% and it would still amount to zero dollars.

This is of course, a huge overreaction by this admin.

Few others have overreacted as well, according to this list.

 

They just can't be bothered doing a risk assessment which would only take them a few minutes of their time...

Few others have overreacted as well, according to this list.

 

They just can't be bothered doing a risk assessment which would only take them a few minutes of their time...

Damn, this is not good. We still need forums, it's vital for our content discovery. This new law sure does no good.

This new law sure does no good.

For all you know, it could be repealed. Even this guy thinks it'll fall flat as well...

Ozzy247 just released an add on for XenForo - This addon will scan each pm/dm as it is created for keywords you specify in the addons options. This is useful for ensuring your members are not engaging in illegal or unscrupulous behavior on your forum without your knowledge.

 

https://xenforo.com/community/threads/ozzmodz-conversation-dm-keyword-monitor-paid.229872/

 

A must have when you're concerned about this. - And running XF of course.

They just can't be bothered doing a risk assessment which would only take them a few minutes of their time...

I think a few minutes is a massive underestimation.

 

This law should have never come into effect in a form like this. I have no idea if there was any public consultation, but it all reminds me a bit of ACTA in 2012. Granted I don't exactly remember what the deal was with that, but I remember that popular websites in Poland have decided to modify their websites for 24hrs to protest. A lot of the websites have put some kind of a spotlight effect on top of them to basically obscure their content and had an information that this is how the web may end up looking like if ACTA comes into effect.

 

I believe English wikipedia, Reddit and Mozilla have temporarily shut down to protest American SOPA and PIPA law (I have no clue what that was).

 

IMO This is what should have been done to show it may kill the "small" web.

 

https://en.wikipedia.org/wiki/Anti-Counterfeiting_Trade_Agreement#Signatures_and_ratifications

Interesting thing I have just noticed - when you're leaving a facebook group which I believe has UK set as location, it offers you to report the group and UK Online Safety Act is mentioned there.