Ofcom finalises guidance on its OSA information gathering powers

Ofcom published a statement yesterday announcing its finalised guidance on its information gathering powers under the Online Safety Act (OSA). The guidance aims to help online services understand the factors Ofcom may take into account when deciding whether to exercise these powers, and is intended to be flexible to enable Ofcom to consider the individual circumstances in each case.

By way of recap, Ofcom has a range of information gathering powers under the OSA to aid in investigations of potential infringements. This includes:

• requiring companies to generate information by performing tests and/or demonstrations;
   
• asking companies to provide “any information” (including confidential information) required for Ofcom to exercise, or to decide whether to exercise, any of its online safety functions (known as an “information notice”);
   
• issuing specific information notices to allow Ofcom to remotely view certain information in real time, including tests and demonstrations, and to request information relating to a deceased child's social media account if requested to do so as part of a coroner’s investigation;
   
• appointing a “skilled person” to assist Ofcom to identify any actual or potential failures to comply with the OSA; and
   
• general powers to enter, inspect and audit a business’ premise as part of an investigation, and to request interviews with the service provider’s staff.

Ofcom ran a consultation on the draft guidance in July last year and has made several key changes to the guidance in response to the consultation:

• There is additional information on the protections provided by the OSA in relation to disclosure of information to overseas regulators. This includes clarification that information will only be disclosed to the overseas regulators specified in the regulations made by the Secretary of State. Further, information so disclosed will not be used for another purpose or further disclosed except with Ofcom’s consent or in accordance with an order from a court or tribunal.
   
• Ofcom has provided further detail on how and when it will use its powers to demand tests or demonstrations, including the general mechanics of these powers. For example, Ofcom has clarified that a test/demonstration will not need to be conducted on the live service if there is a test environment available, or if it would not be proportionate to do so (taking into account the potential impact on users). In relation to test datasets, Ofcom has made clear that it will in most cases discuss the criteria for such datasets well in advance of requiring a test/demonstration to take place.
   
• The final guidance provides more information on Ofcom’s approach to user privacy and the security of stakeholders' systems when exercising its powers, particularly its remote viewing powers. To this end, Ofcom states that it generally envisages that it will be sufficient to conduct remote viewing via a simple ‘screensharing’ mechanism (e.g. using a video calling application, such as Microsoft Teams) and makes explicit reference in the guidance to the ICO’s guidance on lawful basis and data security.
   
• Some changes have also been made to reflect the updates to Ofcom’s General Policy on Information Gathering, which was published in December.