Crisis Response Protocol

Background

Last year Ofcom consulted on additional safety measures with three main objectives:

• stopping illegal content going viral
• tackling harms at the source; and
• affording protections to children.

As regards the first of these, Ofcom’s proposals suggested changes to recommender systems and the introduction of crisis response protocols (this was, in particular, in response to the Southport riots in 2024). The introduction of crisis response protocols forms part of the response to what was otherwise a gap in the regime (see our analysis at the time), though there were questions as to scope and to what benchmarks for success would look like.

Ofcom has considered the responses to its consultation and has now published its statement on crisis protocols, confirming that further requirements will be added to the codes on illegal content and on protection of children for user-to-user services, subject to Parliamentary approval.

As Ofcom notes, there is a difference from the measures as consulted on: rather than one measure, Ofcom has split the measure in to two, the first dealing with the obligation to have a system to mitigate and manage risks in the event of a crisis (as defined - see below); the second dealing with contact with law enforcement during a crisis. Ofcom has also clarified the purpose of the measures - that is they are to help mitigate and manage the risks arising from a significant increase in illegal content and/or content harmful to children on a service during a crisis and, where relevant, the risk that a service will be used to commit or facilitate a priority offence. Ofcom has published the statement, plus draft consolidated codes.

What’s in the Codes?

Services in Scope

In Ofcom’s view, there is little evidence suggesting that search services play a role in driving virality in crises and therefore the measures do not apply to search services. Ofcom has limited the obligations to service providers that are large and at medium risk of specified types of content; and providers of any size that are high risk. For illegal content, the relevant categories of content are: terrorism, hate, harassment, stalking, threats and abuse, and foreign interference; and in relation to content harmful to children: abuse, hate, and violent content. These categories are the categories into which Ofcom has grouped the offences listed in Schedules 5-7 OSA. For example, hate includes the priority Public Order Act offences and those in the Crime and Disorder Act as well as the Scottish Criminal Law (Consolidation) (Scotland) Act 1995.

The inclusion of small, high-risk services reflects the fact that these services can play a pivotal role in the information environment as a whole (Statement, para 3.83).

Definition of Crisis

Ofcom has provided a definition of crisis to provide a common starting point across platforms to assess when these measures come into play.

It defines crisis (at para 3.18) as:

an extraordinary situation in which there is a serious threat to public safety in the UK which is highly likely to:
have resulted (in whole or in part) from a significant increase in relevant illegal content and/or content harmful to children on a service; and/or
have caused, or cause, a significant increase in relevant illegal content and/or content harmful to children on the service.

An “extraordinary situation” can arise in part of the UK – so local or regional events can trigger the protocols – this reflects comments made by those responding to the consultation. Ofcom also clarifies that overseas events resulting in a serious threat to public safety in the UK could be an “extraordinary situation” for the purposes of this requirement (Statement, para 3.19). Otherwise the definition remains broadly the same as in the consultation. It remains unclear what the scope of public safety (as a threshold condition) means, though Ofcom emphasises that it must be linked to an increase in relevant content under OSA. While the definition does not make this point expressly, Ofcom’s discussion of when the protocols should come into effect (Statement, para 3.26), suggests that the protocols relate not just to actual crises but also likely crisis situations.

Obligation to have a Crisis Response Protocol (ICU C15 and PCU C11)

There are three elements to the obligation: a pre-crisis obligation; during the crisis; and post-crisis.

Pre-crisis

There must be a crisis protocol and it must be formalised in writing. This also constitutes a point of evidence in the context of enforcement of the obligation – it will be insufficient for a service provider to say “of course we have a crisis protocol – it is in the chief exec’s head”. It should cover two stages:

• the identification of a crisis (which is the responsibility of the service provider – Ofcom does not tell them when there is a crisis though presumably that option remains open, for example through open letters, as we have seen in relation to Southport and Belfast); and
• how the service will respond.

As regards the first one of these Ofcom suggests that the provider should identify relevant indicators and monitor them to identify impending crises. Presumably (though this point is not made) these indicators should also be used to identify when the crisis is over. Ofcom puts a 90-day limit on the lifespan of a crisis. If the crisis conditions continue after that, this is a new normal for which the service provider must plan (see Statement para 3.32 and Annex 1, paras A1.36-39). As regards the second, Ofcom suggests details of the response team, how the team will work, and the systems in place for risk mitigation and management. In including these points, Ofcom has clarified its expectations in response to some consultation responses. Ofcom has given indicative examples of the sorts of indicators and other systems in Statement, paras 3.21 – 3.24. Amongst the non-exhaustive list, Ofcom has included information from other service providers. As a result of the consultation, Ofcom has also included a s 175 notice (Statement para 3.23). While this is described by Ofcom as an indicator, adding this to the list is a way of joining the system in s 175 Online Safety Act to the codes, and to some extent, giving that set-up more legal force. Presumably an open letter from Ofcom could likewise be taken into account, although Ofcom did not include statements from regulators in its indicative lists.

During the Crisis

The team and the systems identified as part of the protocols should come into action as soon as reasonably practicable after a crisis has been identified and (where relevant) the law enforcement communication channel should be operational. Included in measures that might be taken are a reallocation of resourcing of the content moderation function – though this might end up with that general function just not working effectively during the crisis. Ofcom also suggests proactive sweeps could be carried out.

After the Crisis

Providers should conduct a post-crisis-analysis, looking at key decisions made during the crisis and whether the protocol remains sufficient. Again, this review should be recorded. This provides an evidence base which - as well as presumably helping the service improve its performance -could be useful in enforcement terms. The existence of the record is an enforceable obligation in itself. While Ofcom has not included any formal requirements in the codes as to what should be in the report of the analysis, it has – in response to consultation feedback - listed some suggestions (para 3.34), which includes lessons learned.

Obligation to have a dedicated channel by which law enforcement can contact the service (ICU C16 and PCU C12)

This obligation applies only to relevant large services. The objective is to facilitate time-sensitive communications, including helping services identify emerging trends. This is to facilitate triage within the service provider and reduce delays and also allow for more coordinated crisis response efforts.

When will the New Measures Come into Force?

The OSA envisages a process whereby any code or amendment to it must be subject to Parliamentary approval before it comes into effect. So while Ofcom has made its statement and clarified what it will expect, the new measures are now in the hands of DSIT and Parliament as time must be found in the legislative timetable for the code amendments to be discussed and (hopefully) approved. It is therefore not possible to give any sense of time frame for this.