Based on illegal-content-duties-record-keeping-template.odt from Ofcom's Online Safety Toolkit outlined in Record-Keeping and Review Guidance.
This template is designed to help user-to-user (‘U2U’) and search service providers to meet their record-keeping duties under the Online Safety Act 2023 (‘the Act’).
This can be used alongside Ofcom's ‘Check how to comply with the illegal content rules’ tool but using it does not guarantee your compliance.
The record-keeping duties set out in the Act (section 23 and 34) require service providers to:
Full guidance on the record-keeping duties can be found in Ofcom’s Record-Keeping and Review Guidance.
As well as keeping a record, you are responsible for completing a suitable and sufficient risk assessment in line with your duties under the Act. Ofcom’s Risk Assessment Guidance provides full details on what to do.
You can sign up for online safety updates or make an enquiry via Ofcom’s website. For further support, you may wish to seek specialist or legal advice
Activities and outcomes: identify the 17 kinds of priority illegal content that need to be separately assessed; consult Ofcom’s Risk Profiles and identify the key risk factors which are relevant to your service for each of the 17 kinds of priority illegal content.
What to include in your record: confirmation that you have consulted Ofcom’s Risk Profiles; a record of any risk factors from the Risk Profiles that are relevant to your service.
Confirm consultation of Ofcom's Risk Profiles (e.g., by recording outcomes of questionnaire or noting relevant factors here).
Activities and outcomes: consult Ofcom’s Risk Profiles and identify the key risk factors which are relevant to your service.
What to include in your record: confirmation that you have consulted Ofcom’s Risk Profiles; a record of any risk factors from the Risk Profiles that are relevant to your service.
Confirm consultation of Ofcom's Risk Profiles (e.g., by recording outcomes of questionnaire or noting relevant factors here).
Activities and outcomes: separately assess the likelihood and impact of each of the 17 kinds of priority illegal content, using all relevant evidence; assess the likelihood and impact of any other illegal content identified; consider service usage, design, operation, and existing controls; assign risk levels (high, medium, low, negligible) for each kind of illegal content based on evidence.
What to include in your record: list of additional characteristics considered; details of existing controls and their impact on risk levels; assigned risk level for each priority illegal content (and sub-categories like CSAM types) and other relevant illegal content, with evidence-based explanation; list of evidence and reasoning for likelihood/impact assessments.
You need to record the risk level you’ve assigned to each of the 17 kinds of priority illegal content and the evidence and considerations for each.
This is a guidance page to illustrate how to make your records for each kind of priority illegal content.
Risk level:
[GUIDANCE: Evaluate the likelihood and impact of each kind of priority illegal content to assign a risk level (high, medium, low, negligible). Consider the relevant evidence to inform this judgement. You may consult the risk level tables found in Ofcom’s Risk Assessment Guidance (this is also covered in Step 2 of our Check how to comply with the illegal content rules)]
Risk factors considered:
[GUIDANCE: List any relevant and specific risk factors which relate to this kind of illegal harm (such as “messaging services”, “child users (under-18s)”, “user groups” etc.) from Ofcom’s Risk Profiles. Our ‘Check how to comply with the illegal content rules’ tool presents the associated kinds of illegal harm for each risk factor you select, or you can consult table 9.1 in the Risk Assessment Guidance.]
Additional characteristics considered:
[GUIDANCE: List any additional characteristics of your service which may be relevant (including user base, business models, functionalities, governance, and systems and processes) you have considered alongside the risk factors identified in Ofcom’s Risk Profiles.]
Existing controls considered:
[GUIDANCE: If you have considered the role of any existing controls already in operation on your service at the time of the risk assessment, you should record what these controls are, what risks they are intended to mitigate and how they do this, and how the consideration of the existing controls has impacted the risk level you have assigned to a kind of illegal content.]
Evidence:
[GUIDANCE: A list of the evidence, and summary of the reasoning, that has informed the assessment of likelihood and impact of this kind of priority illegal content, including any core and enhanced types of evidence.]
Activities and outcomes: consult Ofcom's illegal content Codes of Practice, check which measures are recommended for your service, and decide how to implement applicable measures, or use alternative measures; understand how to implement all relevant measures; record the outcomes of your risk assessment.
There are separate record-keeping duties for any measures taken to comply with a relevant duty as recommended in the illegal content code of practice, and where the service provider chooses to take or use alternative measures to comply with a relevant duty.
A written record of each measure that is taken or is in use as described in the illegal content code of practice, which: a) provides a description of the measure; b) identifies the relevant code of practice; and c) gives the date that the measure takes effect.
To help you record this information, for each of the measures Ofcom recommends, we set out which duty it relates to in the illegal content Code of Practice and in the recommended measures section of our ‘Check how to comply with the illegal content rules’ tool.
A written record must include:
Where you choose to adopt any alternative measures to comply with the duties relating to illegal content, the written record must also state whether the alternative measures have been taken or are in use in every area listed in table 2 of the Record-keeping and Review guidance (this is also listed in Step 3 of the ‘Check how to comply with the illegal content rules’ tool).
[Description of the recommended measure from the Illegal Content Codes of Practice.]
[Whether the measure has already been implemented or is planned to be implemented.]
[Identify the relevant code of practice.]
[List the duties this measure helps comply with.]
Add more sections for each recommended measure implemented.
[Measure recommended in the illegal content code of practice, based on the outcome of your risk assessment, that you have chosen not to implement.]
[Details of the alternative measure you have chosen to implement as an alternative.]
[Duties that this measure helps you comply with and provide an explanation about how the alternative measure fulfils that duty.]
[How you have complied with the duty to have particular regard to the importance of protecting UK users’ (and interested persons if you are a search service) right to freedom of expression and privacy (Section 49(5) Online Safety Act).]
[State whether the alternative measure has been taken or is in use in every area from table 2 of the Record-keeping and Review guidance (also listed in Step 3 of the ‘Check how to comply with the illegal content rules’ tool)]
[Date the measure came/will come into effect on your service.]
Add more sections for each alternative measure implemented.
Activities and outcomes: report risk assessment and measures via governance channels; monitor effectiveness of measures; monitor developing risks and residual risk; review/update risk assessment regularly and before significant service changes. Category 1/2A services must supply Ofcom with risk assessments.
What to include in your record: written record of annual review cycle and responsible person; confirmation of reporting through governance channels.
Keep a copy of each record of your risk assessment and the date on which it was reported. Update this field for each record.
Use your browser's print dialog to save as PDF.