Hot on the heels of the guidance about preventing online harms to women and girls that was published earlier this week, Ofcom has now issued guidance about how it will exercise its information-gathering powers.
Under the Online Safety Act, Ofcom has legal powers to access information held by regulated companies and third parties. It can also remotely inspect how a platform's algorithm works in real time. An example might be in the context of looking at what platforms recommend to users, particularly children.
The information Ofcom collects will help it to scrutinise how effective tech firms' safety measures are, and it can also require data where it has specific concerns that the Act is not being followed.
As well as requesting information and data, Ofcom can carry out an audit of a tech firm's safety measures and features. In exceptional cases, it can enter the UK premises of tech companies to access information they hold and examine their equipment.
The guidance explains the factors that Ofcom may take into account in deciding when and how to exercise the new information-gathering powers. It also explains the legal duties imposed on regulated services and other third parties, setting out Ofcom's expectations about how they should respond to a statutory information request from Ofcom.
Following consultation, Ofcom has made some changes to the final version of the guidance by:
- providing more information about the protections the Act provides in relation to Ofcom's disclosure to overseas regulators; and
- providing further information about when and how it may use its powers to require tests or demonstrations, and other general mechanics around some of the powers, including remote viewing.
It has also made some minor changes to its Guidance on the Coroner's Information Notice Power based on its recent experience and made certain changes to mirror the approach taken in its General Policy on Information Gathering, which it published in December 2024. It gives more information about the approach to user privacy and the security of stakeholders' systems in connection with the powers.
Failure to comply with a request for information (an "information notice") from Ofcom in an accurate, complete, and timely way can lead to fines of up to £18 million or 10% of a firm's worldwide revenue - whichever is higher. Or, in the most extreme cases, there could be criminal liability. Ofcom refers to action it has taken under the related video sharing platform legislation and makes clear it will pursue firms who do not cooperate.
The guidance comes into force immediately. It's worth noting that it isn't binding, so Ofcom can effectively decide to use its powers on a case-by-case basis.