top of page
Writer's pictureCaro Robson

Ofcom publishes first consultation on Online Safety Act

Updated: Jan 8

09 November 2023


Ofcom published its first major consultation on the Online Safety Act today, on Protecting People from Illegal Harms Online. Three more major consultations are planned in the next 18 months. 


Respondents have until 5pm (GMT) on Friday 23 February 2024 to submit comments.


Speaking on the Today programme this morning, Ofcom Chief Executive Dame Melanie Dawes said that Ofcom would not approach regulation via individual complaints (as with broadcasting) but will look at the systems and processes services have in place to manage risk. 


Dame Melanie said that services now have a “new duty of care to prioritise safety not just profits.” Ofcom have recruited 350 experts from industry, academia and campaign groups, including the NSPCC and 5Rights to regulate the Online Safety Act.


The consultation documents are extensive, but the at-a-glance summary attached gives an overview of the proposed action required by user-to-user (U2U) and search services in scope. The Today programme reported that this may include over 100,000 online services. 


The consultation proposes that two factors will determine which requirements apply to a service: the size of the service and the risk of illegal harm it represents.


  • Size of service has two categories: large services (with an average user base of 7 million per month in the UK) and small services 


  • Risk of illegal harm comprises three categories: low risk, specific risk (harm-specific measures will be required) and multi-risk (where a service shows medium or high risk of at least 2 of the 15 kinds of harm in Ofcom’s risk profile: additional 'general' measures may be required)


All services will be required to carry out risk assessments for illegal harms, using the risk profiles provided by Ofcom (draft profiles for the 15 harms are proposed at Appendix A to Annex 5 of the consultation), and using the proposed 4-step risk assessment process. 


All services will be required to keep records of risk assessments, and have a named person accountable to the most senior governance body in the organisation for compliance with duties under the Act.


Risk assessments should be carried out using the following data:


  • Risk profiles from Ofcom 

  • User reports

  • User complaints

  • User data, including age

  • Retrospective analysis of incidents of harm and other relevant information the service holds

  • If the above data is insufficient, Ofcom proposes a number of additional information sources to assess risk, including use of external experts.


The proposed risk profiles set out a number of questions service providers must ask about their services and the risk of particular harms, set out at Appendix A to Annex 5 of the consultation (34 questions for U2U services and 11 for search services in total). 


Anyone wishing to respond to the consultation has until 5pm (GMT) on Friday 23 February 2024, via the form available at www.ofcom.org.uk. 

bottom of page