Online Safety Bill – Educational Institutions

[21/6: Added more examples of public engagement]

[22/3: Updated analysis of why read-only access fits within the para 8 exemption]

The Government has now published its Online Safety Bill: the text that will be debated, and no doubt amended, in Parliament. Compared to last summer’s draft, this is somewhat clearer on whether platforms operated by educational organisations are within scope. The Impact Assessment is clear, according to paragraph 67 the following are excluded from the Bill:

Online services managed by educational institutions, including early years, schools, and further and higher education providers. This includes platforms used by teachers, students, parents and alumni to communicate and collaborate. It also includes platforms like intranets and cloud storage systems, but also “edtech” platforms.

And the text of the draft Bill (unlike last summer) does now match this, mostly. Schedule 1 Part 2 (paras 12-24) has a list of “persons providing education and childcare”: childminding, nursery schools, schools, independent training providers, and further education for persons under 19. This is a welcome clarification over the previous “public authorities”. But Higher Education isn’t there, indeed HE institutions that also provide Further Education are explicitly removed from the exemption.

So HEIs need to look at the exemptions by service type. Here there is another welcome clarification, that Schedule 1 Paragraph 7’s “internal business services … for the purpose of any activities of the business” include “educational institution” (para 7(3) – which does include HE) and that authorised persons (allowed to comment without bringing the service into scope) include “in the case of an educational organisation, pupils or students”.

So, as far as I can see, the main situation where an HEI might fall within scope is if it wants to receive and publish comments from those outside the “closed group” of staff, pupils, students (para 7(2)(c)). This might include outreach activities such as festivals of ideas; inviting public comments or responses to research or community activities; supporting professional practice communities (including cross-institution) or user groups.

Here there seem to be three possible approaches, though none is entirely clear:

  1. Create personal accounts for external individuals who wish to make comments thus, perhaps, “authorising” them within the meaning of para 7(3)(iv); this would seem to be the only way to bring in the “parents and alumni” mentioned in the Impact Assessment, so perhaps other interested individuals could be included as well. Para 8 seems to allow content and comments on exempt platforms to be visible to those who aren’t yet “authorised” (adding read-only access to the internal service doesn’t “enable” any new user-generated content, in terms of para 8(1)(b)), so they can decide if they want to request permission; or
  2. Rely on the distinction in Schedule 1 para 4 between comments “relating to provider content”, which keep the service out of scope, and comments (other than likes, emojis & votes) on other people’s comments, which bring it in. As in my previous post, turning off threading is the only technical measure I can think of that might possibly support that distinction; or
  3. Combine these two ideas, allow non-registered users to like, vote, or post emojis (definitely OK under Schedule 1 para 4); but only registered ones can add text comments (maybe OK under para 7(3)(iv)).

Comments very welcome if you spot a legal or technical possibility that I’ve missed…

By Andrew Cormack

I'm Chief Regulatory Advisor at Jisc, responsible for keeping an eye out for places where our ideas, services and products might raise regulatory issues. My aim is to fix either the product or service, or the regulation, before there's a painful bump!

Leave a Reply

Your email address will not be published. Required fields are marked *