POSR0009
Written evidence submitted by Ofcom
1 Background to Ofcom’s online safety work
Independent regulation and communications convergence
1.0 Ofcom was established by the Office of Communications Act 2002. We are accountable to Parliament, and to the public and the companies we regulate via the courts. We are led by our Board, and we make decisions independently and on the basis of the evidence, which underpins our trust and credibility with the industries we regulate. We are funded by industry fees and we do not draw on public expenditure.
1.1 Ofcom is a converged communications regulator, combining duties across broadcasting and media, telecommunications and spectrum management. Since 2002, Parliament has given us additional responsibilities, including regulation of postal services, the BBC, video-sharing platforms, and telecoms security. The Online Safety Bill, recently passed by Parliament, will make Ofcom the online safety regulator, broadening our regulatory perimeter, in line with ever-increasing communications convergence.
1.2 Clearly the addition of Online Safety is a significant increase in remit, and a big change for Ofcom. However, we believe it sits very well with our existing remit, which means we can do the job both well and efficiently. From a policy perspective there is clearly strong complementarity with our existing media and broadcasting work, given the way that consumers increasingly move across traditional and social media for entertainment and news. People also use social media and gaming to connect with each other, with apps such as WhatsApp straying into the territory traditionally occupied by telecoms companies. In addition, the industry itself is ever more converged across our sectors. Amazon, for example, is a logistics/parcel operator, makes entertainment content through Prime, runs a gaming platform in Twitch and – as the world’s biggest Cloud provider – is at the centre of internet infrastructure.
Preparations for Online Safety
1.3 In February 2020, the Government announced it was minded to appoint Ofcom as the regulator for online safety in the UK. This built on our work as the regulator for UK-established video sharing platforms (VSPs) under the Audiovisual Media Services Regulations which came into force in November 2020. This, together with our media literacy duties and our years of research into media use and attitudes, ensured a strong strategic fit and allowed us to quickly ramp up preparations.
1.4 The Government confirmed our appointment through its full response to the Online Harms White Paper in December 2020. In order to support us to move swiftly to implement the legislation, ministers decided to fund our preparations in parallel to the parliamentary passage of the Bill. The upfront preparatory costs will be recouped from the industry once the new fee regime is in place.
2 Forward-looking organisational design with embedded technical expertise
Incorporating online safety
2.1 Ofcom’s leadership has been clear that our new online safety duties are not a ‘bolt-on’. We need to integrate our work in this area as a core part of the organisation so that we make the most of the synergies between our online safety duties and the rest of our remit, and manage any risks to our existing regulatory functions.
2.2 It is important to note that neither funding for nor work on our existing duties – telecoms, post, spectrum management and broadcasting and media – has been affected by our online safety preparations. Funding in these areas comes from industry fees from the relevant sectors, subject to an overall cash budget cap set by the Treasury. Our work programme is determined following consultation each year, and published at the start of the year in our Annual Plan of Work.[1] Over the past decade, our overall fees have been largely flat in cash terms, meaning that the direct cost of our regulation has fallen significantly in real terms.
2.3 We have given a great deal of thought to the structures, capabilities and skills we need for our expanded remit. The CEO led a full organisational design review in 2020 which was signed off by the Board. This restructured Ofcom around four regulatory policy groups – Broadcasting and Media, Spectrum Management, Online Safety and Network & Communications; supported by four cross-cutting professional and corporate functions – Legal and Enforcement, Strategy and Research, Economics and Analytics and our Corporate Group. The main aim of this was to ensure clearer accountability for all Ofcom’s regulatory regimes, with each clearly lodged in one of the four regulatory groups, while preserving our flexible “matrix” structure for shared professional skills and support. Most of the new structure was implemented immediately in the autumn of 2020.
2.4 For Online Safety, rather than establish the new group straightaway, we put our preparations on a major programme footing at the beginning of 2021. The programme brought together policy and organisational work under single governance. The detailed organisational design for Online Safety was carried out during 2022, once the scope and timing of the Bill was clearer. Key senior appointments were made over the winter of 2022-23 and the programme was closed as the new Group went live on 1 April 2023.
Recruitment and skills
2.5 We expect that by March 2025 our headcount dedicated to online safety regulatory activities will be between 360-400 FTE (see annex). The new roles will be carried out across a range of locations in order to make use of skills across the UK. Ofcom already had offices in each of the three devolved nations, on top of specialist sites in Warrington, Birmingham and Baldock. In 2021 we opened a new hub in Manchester to broaden our base. This hub will house up to 150 Ofcom-wide roles, with a focus on technology and cyber security skills.
2.6 Our recruitment – which is nearly completed for most teams – has included new skills such as content moderation and machine learning technologies, but we have also expanded traditional Ofcom specialisms such as economics, policy-making and enforcement. We have recruited from a wide range of external organisations to ensure as broad a base of experience as possible. This includes specialists from bodies such as the NSPCC, Internet Watch Foundation, Centre for Data Ethics and Innovation, the National Crime Agency and the Met Police, as well as companies such as Google, Meta and Twitter.
2.7 Our organisational development for Online Safety maps the progress of the legislation:
3 A clear strategy underpinned by effective programme management
The importance of strong programme management and our focus areas
3.1 Ofcom has a strategy for online safety with measurable priorities, embedded within programme management. An Online Safety Programme Board (OSPB) met for the first time in February 2021 (following approval of its Terms of Reference by the Policy and Management Board (PMB), Ofcom’s most senior executive forum). OSPB provided in-depth executive oversight of the set-up of the online safety regime, i.e. the overall online safety programme across Ofcom, from a policy, regulatory strategy, operational and corporate planning perspective.
3.2 We identified five focus areas to structure and prioritise our preparations via the Online Safety Programme. Thes are described below.
Priority 1 - supporting the legislative process
3.3 The Online Safety Bill has gone through change since it was published in draft in May 2021. With funding in place to build our team and expertise since 2021, Ofcom was able to provide Government and Parliament with expert, independent input to the legislative process. Choices about the scope of the Bill were clearly for Parliament, and we focussed our input on practical implementation issues and ensuring a workable legislative framework.
3.4 For each major change to the Bill’s scope, we assessed and advised on the workability and financial implications. On timing, we assessed the impact of delays on the critical path for implementation and reviewed our preparations in response. We published our roadmap in July 2022 to provide clarity about our overall approach and expected timings for implementation of the new regulatory regime[2], and we will be updating this immediately the Bill gets Royal Assent.
Priority 2 - preparing our regulatory approach
3.5 Our second priority was to build our the evidence base during the parliamentary process so that we could develop our policies and start publishing the foundational documents underpinning the regime as soon as our powers came into effect. We have published calls for evidence on first (illegal), second (protection of children) and third (categorisation) phases to inform the development of the consultations.[3]
3.6 We also commissioned a wide range of research and undertook analysis into the prevalence, impact and causes of key online harms and the options for addressing them across different platforms. Among other things, this has focused on understanding where harms occur and how platforms’ incentives affect their role in propagating harm and their likely responses to specific regulatory interventions. We set up engagement with several companies to get a deeper understanding of how they currently mitigate and manage online harms, including at a detailed technology level. Given the degree of change in the industry, a systematic Horizon Scanning function aims to stay abreast of the biggest themes and trends that will impact our sectors and consumers in the next 5-10 years, so we can plan how our approach may need to develop.
Priority 3 – building public trust and awareness
3.7 As we implement the new Online Safety regime we will also be working to communicate and explain to the public what this means for them, and help to set public expectations. The online safety ecosystem is broad, and our success will depend on building effective partnerships with industry, civil society, academia and other regulators – both domestically, and overseas. As part of our preparatory programme we have engaged with industry, civil society, public bodies, and independent experts, as well as policy makers and other regulators around the world to raise awareness, test our approach and build out our capabilities. We have also invested in speaking directly to users, including children and young people.
3.8 We are also building our relationships with the sector, both to develop our own knowledge and understanding of these businesses and to prepare them for a future regulatory relationship. Ofcom has had structured meetings with over 80 platforms of different size, reach and business models, and has met many more through industry conferences and roundtables. We also work with trade bodies such as techUK, the Startup Coalition and the Online Dating Association to engage with smaller platforms. This engagement is forming a precursor to the supervisory relationships we will have with platform.
Priority 4 – setting up our operations
3.9 Recruitment for online safety began in 2020, but the majority of roles were filled in 2022 and 2023 and it was in the summer of 2022 that we finalised our structure and organisational design. We created an Online Safety Group which is accountable for the regime and for achieving our objectives as a regulator. But a large proportion of our online safety staff work in professional groups and functions including legal, enforcement, strategy, research, economics and corporate including data.
3.10 Our Board has taken regular assessments of our preparedness for launch of the regulatory regime, with the latest in September 2023.
Priority 5 – investing in technology, data and sector knowledge
3.11 We have accelerated our investment in technology, data and innovation skills since 2020, to manage future needs from longer term innovation across the industries we regulate, and to offer professional development for our specialists. We have worked to embed technology expertise throughout all our activities, via technical inputs to the foundational drafting and publication of Codes and Guidance, new approaches to monitoring effectiveness of the regime and bolstering supervisory activities. Between 2021 and 2023 this was lodged in a free-standing Technology and Data Group, but in 2023 we decided to embed the expertise across all Ofcom groups, instead.
3.12 We will be regulating the largest data companies in the world, and it is essential we are an effective data-driven regulator. The Online Safety Programme includes an explicit data strategy which will include how we gather, ingest and analyse the information we will need to monitor outcomes and compliance.
4 From preparation to delivery
4.1 We are implementing the Online Safety regime in three phases. The timings of these phases will be driven by the requirements of the Act and relevant secondary legislation.
Phase one – Illegal content
4.2 The focus of this first phase is the regulatory framework around the illegal content duties. This will address significant dangers online such as terrorism and fraud and includes measures to protect children from child sexual exploitation and abuse. We will publish our consultation on these duties very shortly after Royal Assent. This consultation will contain our proposed approach to the illegal harms Codes of Practice, setting out the measures that regulated services can take to mitigate the risk of illegal harms. It will also include Ofcom’s assessment of the causes and impacts of illegal online harms, and guidance on how we expect services to conduct risk assessments.
Phase two – child safety, pornography and protecting women and girls
4.3 In December 2023, we will publish our consultation on draft guidance for services that publish or display provider pornographic content online. The key requirement in the Bill is for highly effective age verification at aged 18.
4.4 In Spring 2024, we will consult on our codes of practice and guidance for the protection of children. At the heart of this consultation is the question of ensuring an age-appropriate experience for teenagers, including protections from suicide and self-harm material.
Phase three – additional duties for categorised services
4.5 The third phase of online safety regulation will focus on the additional duties that will apply to categorised services, including those relating to transparency reporting, user empowerment, fraudulent advertising, and user rights.
Beyond – transitioning to enforcement and supervision
4.6 We are aware of the level of scrutiny that will be on us as we make these early regulatory interventions. We have a range of powers to address harm and target our initial interventions under the regime. Under the Online Safety Bill, Ofcom will gain information gathering and enforcement powers, including powers to impose substantial fines. Enforcement action is one element to ensure compliance and works alongside our other regulatory functions and levers to ensure users are protected online.
4.7 We will take a strategic, engagement-first approach to compliance and have set up a standalone supervisory function which will closely interface with our enforcement function. This will go live on day one, so that we will immediately start working with key platforms even as we are consulting on and developing our codes of practice.
4.8 Our approach to enforcement in the Online Safety regime will build on our existing experience . In the initial stages of the regime, we expect to reserve formal action for either the highest profile/ highest harm incidents, against firms who deliberately flout the rules or have taken no/little action to bring themselves into compliance, or where engagement has failed and we need to increase pressure on firms to come into compliance. Ofcom must produce enforcement guidelines which will set out a priority framework listing the factors we will consider in deciding whether enforcement action is appropriate.
Join up with other regulatory regimes
4.9 We have long recognised the potential for different digital regulatory regimes within the UK to interact, and the importance of streamlining efforts with other regulatory bodies. In 2020 we established the Digital Regulation Cooperation Forum (DRCF) with the ICO, CMA, and later the FCA, to support coordination across digital regulatory efforts in the UK. We publish our workplan each year in advance. DRCF is proving to be a highly effective forum for us, where we can jointly work through strategic questions such as future developments in technology or how to audit algorithms; through to the detailed interactions beween our regulatory regimes.
4.10 To support the work of the DRCF, we have considered what legislation may be needed to support effective cooperation on digital matters. In 2021, the DRCF published advice to DCMS on how duties and information sharing gateways can support cooperation. Since then, we have worked across the regulators to support the Government’s development of digital legislation so that effective cooperation is built into new regimes, including the Online Safety Bill. This includes a provision to update the CMA’s information sharing gateways to reflect Ofcom’s new Online Safety functions as well as provisions to ensure that Ofcom effectively consults the ICO and the FCA under the Online Safety Bill. We are continuing to leverage our DRCF partnerships to look at provisions across regimes, such as information gathering provisions, to assess what we can learn from each other today and in the future when the regimes are in operation.
Join up with other international regimes
4.11 We recognise the importance of aligning international approaches and engaging with our international regulatory counterparts, given the transnational nature of platforms and the global character of many online safety challenges. With our regulatory counterparts around the world, we share expertise, experience, and evidence to better coordinate our approaches to online safety regulation. This includes working closely with the regulators across Europe which will be implementing the EU’s Digital Services Act. Further to this, in November 2022 we co-founded the Global Online Safety Regulators Network, the only forum for international regulators that is dedicated to online safety. We also work with the broader online safety policy community, through our involvement in a variety of multilateral and multistakeholder forums, including the World Economic Forum’s Global Coalition for Digital Safety, as well as ongoing engagement with various initiatives of the OECD and UNESCO.
Monitoring and evaluating our impact
4.12 Given the depth and breadth of the Bill, and the complex and innovative nature of the services in scope, the regime will be inherently iterative. Evaluation will contribute to the evidence we need to learn and improve. However, we have already done much to test our approach through the calls for evidence on both illegal harms and the protection of children, as well as through our first two years of regulating UK-domiciled video-sharing platforms such as TikTok, Snap and OnlyFans.
4.13 A core challenge is that there is no industry-wide consensus on measuring and tracking the prevalence of harms and the effectiveness of safety measures. Most platforms measure takedown of illegal content, but measurement of prevalence of harm is weak. We set up a specific programme of work with the industry to understand approaches to content moderation, metrics and measurement through a series of collaborative meetings in 2021-22 with policy and technical staff at six platforms of different sizes and types. This has helped us to test our approach, as well as contributing to the development of our monitoring and evaluation framework.
4.14 Identifying specific and realistic objectives and metrics to measure whether we are achieving them as early as possible will be a key focus in the early years of the regime. We are currently articulating how potential interventions are expected to address harms in a way that help us to achieve our objectives as well as identify potential unintended effects.
5 National Audit Office (NAO) review of our preparations
5.1 The NAO report, ‘Preparedness for online safety regulation’, published on 12 July, provided a welcome, independent audit of our preparations. It concluded, “Ofcom has made a good start to its preparations and has taken the steps it could reasonably have done by this point: compiling an evidence base to inform its implementation of the new regime; putting in place the capacity, capabilities and organisational design it needs to begin operating the regime; and engaging with stakeholders.”
5.2 The NAO made several recommendations in their review which we have factored into our preparations.
Ofcom’s external communications | Response |
Recommendation: manage the public’s expectations about the regime’s impact and Ofcom’s role during implementation to give confidence in the credibility of the new regime with the public, industry and others | We have a comprehensive communications plan in place, which will: explain how the new laws will work in practice, including what they mean for adults and children, and regulated services; set out our timelines and approach for implementing the regime; drive engagement with our consultations; and tackle misconceptions.
We have been doing all these things while we have been preparing to take on our new role, and these activities will increase after we receive our powers. We communicate with the public and other stakeholders in several ways, proactively and reactively – including through the media and our digital channels. |
Recommendation: develop its plans to inform industry about its requirements, particularly ensuring its data requests are coordinated and proportionate, and establishing how it will collect feedback, particularly from smaller, non-categorised companies | We will be providing industry with a significant update on implementation timings, what the obligations on services will be and when they will come into force very shortly after the Bill achieves Royal Assent. Ofcom will proactively support all in-scope services to be compliant with the provisions of the Act. We will supervise high reach and high risk services to understand the systems and processes they use to protect users and to drive improvements. We will ensure services are informed they are supervised within 100 days after Royal Assent. We will also support the diverse set of smaller in-scope services by developing digital tools and easy-to-use resources, and targeted engagement (both directly and through industry bodies). We are also establishing a central function to coordinate information requests across relevant services, including smaller services. |
Ofcom’s financial management | Response |
Recommendation: establish how it will manage the financial risks presented by the additional year of set-up and increased staffing need; as it does so, it should report transparently on its set-up costs through its normal reporting mechanisms, including its annual report and accounts | We are in the process of finalising a budget with DSIT for FY24/25 and proceeding with further business planning now the legislation has been finalised.
We have also prepared and submitted our annual report and accounts which covers Online Safety costs and will continue to report transparently on this in future years. |
Recommendation: clarify its overall approach to long-term financial management, including the scope of its financial modelling and its assumptions about the future costs and funding of the regime. | As well as finalising our FY24/25 budget, Online Safety will be incorporated into our overall spending review submission, in due course. This will cover our cost expectations for the full spending review period.
We are also preparing to consult on and stand up the fees regime to recover initial set up costs and cover ongoing costs year to year. |
Ofcom’s skills and capability | Response |
Recommendation: identify how it will reach the capability and capacity it needs and keep this relevant and up-to-date so that it is equipped to keep abreast of technology developments, the development of new online services and platforms, and changes to user behaviour as the regime is implemented and becomes operational. | All Ofcom’s workforce planning process runs half yearly. It is done in the context of our organisational three-year plan and our published 12-month Plan of Work. The online safety-specific detail of this workforce plan then feeds into our online safety learning and development provision, as well as our recruitment pipeline considerations, ensuring we are pro-actively building both the capability and capacity required. We partner with our Strategy and Research team, Online Technology team, Online Safety leadership team and wider academic external partners, to ensure we keep abreast of technology developments and understand the implications of these in regard to our knowledge, skills and approach to ways of working. More widely, Ofcom has launched a systematic Horizon Scanning function to understand the impact of technology developments over the next decade. |
Ofcom’s monitoring and evaluation | Response |
Recommendation: ensure that its processes for collecting data from service providers and its generation of automated information about these are providing it with data of sufficient quality to inform its regulatory duties and enable it to adapt its approach if the data show it is not achieving its aims. | Ofcom has established a Data Management Office (DMO), responsible for management of data, data governance and the quality of data, including working with cross-Ofcom teams to ensure the quality of material models. This data will include data and information that is acquired or requested from platforms, data that is bought and ingested from third parties, and subsidiary data. The workstreams on centrally coordinating information requests and promoting compliance among the longer tail of smaller, non-categorised companies will work with the DMO to ensure data quality is assured and lineage of data (including confidentiality and sensitive meta data) are maintained throughout the system. Alongside this work, the Ofcom Data Strategy has a key pillar of activity, Data Excellence, that is looking at the end-to-end governance of data, covering quality, legal, security, ethical, and privacy. This will ensure Ofcom has the capability to ingest large amounts of data safely and that this data can be used efficiently and effectively by the teams that require it for decision making |
ANNEX: Ofcom’s resourcing for the online safety regime
Breakdown of Ofcom’s online safety budget
1.1. As with other areas of Ofcom’s regulatory remit, the online safety regime will be funded by industry fees paid by the services we will regulate. While Ofcom began our preparations for implementations before the Online Safety Bill was granted Royal Assent – and before we set up our fees regime to levy industry fees – the Government agreed to fund these preparations using receipts received under the Wireless Telegraphy Act 2006.
1.2. These receipts would have otherwise been given to the Government, and they will be recouped once the online safety fees regime is in place.
Financial year | Spending cap uplift (as of autumn 2021) | Actual direct online safety costs (as of autumn 2023) | Overall Ofcom spending cap | Online safety costs as proportion of overall spending cap (autumn 2023 estimate) |
|---|---|---|---|---|
2020-21 | £2.7m | £2.7m | £155.7m | 1.7% |
2021-22 | £19.2m | £14.7m | £155.7m | 9.4% |
2022-23 | £41.6m | £38.2m | £180.7m | 21.1% |
2023-24 | £47.0m | £47.0m | £187.0m | 25.1% |
Total spend by the end of 2023-24 | £110.5m | £102.6m | ||
2024-25 |
| £66.0m[4] | ||
Total spend by the end of 2024-25 |
| £168.6m |
1.3. As outlined above, our online safety spending caps for 2021-22 and 2022-23 were set at £19.2m and £41.6m respectively, yet our total direct costs during these financial years resulted in an underspend in relation to the spending caps. This is due to significant changes that were made to both the Bill’s scope and timetable for Royal Assent which required Ofcom to revise our own preparations, as compared to the spending review submissions made to the Treasury.
Breakdown of online safety headcount
1.4. We expect that by March 2025 our headcount dedicated to online safety regulatory activities will be between 360-400 FTE. A new Online Safety Group was established in April 2023, however the cross-cutting skills and expertise capacity that Ofcom has built is also spread across several other specialist groups which dedicate part of their resources to online safety. The breakdown of Ofcom staff working on Online Safety now includes:
1.5. The NAO’s report cited a figure >450FTE, which included people working in our corporate functions (mainly in data teams). The table below shows staff working specifically on online safety activities. Corporate headcount for online safety is not demonstrated in the table, and is included in the footnote.[5]
Group | 2021/22 FTE | 2022/23 FTE | 2023/24 FTE (Forecast) | 2024/25 FTE[6] (Forecast) |
|---|---|---|---|---|
Online Safety Group | 46.4 | 130 | 192.7 | 228 |
Legal and Enforcement | 12 | 23.5 | 39.3 | 45 |
Economics and Analytics | 9 | 25.8 | 31.8 | 32 |
Strategy and Research | 20 | 47.3 | 61.3 | 58 |
Total | 87.4 | 226.6 | 325.1 | 363 |
Ofcom’s research into online safety
1.6. To prepare our regulatory approach for the online safety regime, Ofcom has undertaken and commissioned a range of research projects into the causes, prevalence, and impact of online harms.
1.7. This range of research includes our longitudinal Online Experiences Tracker to better understand how UK experiences of certain harms change over time. We’ve also commissioned bespoke research to better understand the specific harms within the Online Safety Bill, such as our on Search and prohibited goods . To target the hardest to research areas, we’ve been trialling more novel methods such as avatar and schools research and investing in our Behavioural Insights discipline, for example via our Serious Games pilot.
1.8. As of October 2023, we have completed approximately 60 research projects since our preparations began and we expect to undertake and complete a further 50 future projects to support our implementation of the regime. These research projects supplement the range of existing external research from which we have drawn to support of our evidence base.
October 2023
12