URL List Testing Policy
- Purpose and Scope
- Self Certification Process
- Remedies and Sanctions for breaches in the URL List Self Certification Process
- Independent Oversight of the Self Certification Process
- Action by IWF Board
- Remedies and Sanctions
1.1 The process set out in Part 2 of this document is the result of a working group made up of representatives from organisations on the Funding Council, IWF Board and IWF Executive. It sets out an agreed process for self certification verifying that those organisations (referred to in this document as Providers) listed on the IWF’s website (#1) as blocking URLs included in the URL List are testing their systems for doing so (#2). This process must be followed as a condition of having their name on the IWF’s website. Compliance with this code is mandatory for those Providers listed on the IWF website.
1.2 The process defines the self certification process which entails regular testing of the Provider’s blocking systems and obligation to notify the IWF of the result under certain circumstances. It does not prescribe the way the blocking system works or the way testing is carried out. Nor does the certificate confirm anything other than whether the systems passed the tests required on a quarterly basis in line with the process.
1.3 Part 3 of this document defines the process whereby the IWF may impose sanctions for failure to comply with this self-certification process.
1.4 The self certification programme as described in parts 2 and 3 will be subject to regular review by Funding Council in consultation with the IWF Board.
2.1 The IWF will inject dummy URLs into the list (#4). These dummy URLs shall be refreshed from time to time and are a tool to help Providers to verify the correct operation of their own URL list blocking system at any time. It is not a prerequisite of complying with this process that a Provider uses the IWF dummy URLs. A Provider may choose to test against their own dummy URLs or use alternative means to test for compliance.
2.2 Providers must test their URL List blocking systems at least quarterly. The IWF shall send an email reminder quarterly (#5) (1st October, 1st January, 1st April, 1st July), however the process is not dependent on the IWF sending this reminder. If the Provider has a different quarterly testing cycle they shall notify the IWF. Lack of a reminder from the IWF or details of the dummy URLs to test against is not a reason to not carry out testing.
2.3 The Provider shall test their system to ensure that as far as they can reasonably ascertain, it is operating correctly from an end user perspective and report to the IWF within 28 days of commencing the test period, whether the test has been a success or failure.
2.4 If the Provider runs the test and finds that the blocking system is not operating correctly and is unable to fix the problem within 28 calendar days of commencing the test period, the Provider must report this to the IWF, at the end of that period, setting out what it intends to do to fix the problem. The Provider shall attempt to fix the problem within that quarter or within a reasonable timeframe agreed with the IWF Executive; once the next quarter comes round the verification cycle obligation restarts.
2.5 Within 28 days of the end of the fourth quarter, a certificate (using the wording set out in Annex 1) signed by an authorised signatory (#6) of the Provider must be submitted to the IWF Chair confirming that they are running a web blocking system using the URL List and that they have followed the agreed process for testing that system.
2.6 The certificate must indicate for each quarter whether the tests were not carried out, failed or succeeded. Providers who have failed any of the tests must still file a certificate provided they have followed the process (#7). If a Provider fails the test in the last quarter and is unable to fix the problem within 28 days they must still file the certificate within 28 days of the end of the quarter.
2.7 Providers who join part way through the IWF financial year will be expected to file a certificate with the IWF indicating the periods of their compliance with the process.
2.8 The IWF shall hold the certificate under terms of commercial confidentiality and will not disclose the certificates to anyone except with the permission of the company which provided the certificate.
2.9 Organisations listed on the IWF website who take their blocking solution via a third party Provider (e.g. a filtering company or upstream provider) must also comply with process above and file their own certificate, reporting any test failures to the IWF in line with the process, even if the problem relates to the third party supply.
This part applies to those Providers of the IWF URL List Service who are in breach of their undertakings in this process designed to ensure the filtering solutions they choose to deploy on their networks are effective.
3.2 Scope of Providers covered by this document
As above in 1.1.
3.3 Obligations of Providers and the IWF
3.3.1 Providers are expected to:
(a) Be bound by the terms of these rules and take all reasonable steps to secure compliance;
(b) Comply with the voluntary self certification process;
(c) Co-operate with IWF investigations of any alleged breaches by supplying information and responding to inquiries.
3.3.2 IWF obligations are outlined in Annex 3.
4.1 Self certification is subject to an oversight process to address breaches. This process will be overseen by the IWF Board according to the rules outlined below. The objective of this process is to maintain confidence in the integrity of self certification, promote compliance by Providers and to guard against action by a Provider bringing the IWF in to disrepute.
4.2 This process is not intended to standardise blocking solutions or testing processes, merely to verify that Providers are using the list and testing for compliance in line with the self certification process outlined in part 2 above. This process is also without prejudice to the terms of the license.
4.3 A Breach is defined as a failure to comply with the provisions of this process or submitting an inaccurate or untruthful certificate.
4.4 A Provider shall promptly notify the IWF of any Breach of which it becomes aware.
4.5 If the IWF has received notification of a Breach or has reasonable grounds to believe a Breach has occurred the following Notification Procedures shall take place:
4.5.1 Where a Breach is not resolved within 60 days of a quarterly or annual deadline (or other deadline agreed under 2.4 above, the Provider must contact the IWF Executive to discuss the situation. If the Breach is resolved records are noted.
4.6 IWF will maintain a confidential log of all Breaches that are reported directly by the Provider or their agent or are reported to them via another source.
5.1 Notifications received by the IWF Board will be delegated for consideration to a specially convened Sub-Committee of the Board to consider.
5.2 If a member of the Board is a representative of the Provider facing the potential sanction, or has any other potential conflict of interest, then the Board member must make their position known and exempt themselves from any further activities in relation to that particular case.
5.3 The Provider shall be entitled to attend and present its response to the Sub-Committee of the Board and may be assisted by or represented by another person, including a legal advisor.
5.4 The Sub-Committee of the Board will consider a report from the Executive and may, if it considers appropriate, seek independent legal advice in respect of a case brought before it.
5.5 Where a Breach relates to the Provider’s implementation of the self certification process or agreed remedial measures, relevant evidence may take the form of the Provider demonstrating that process or measures. Providers are expected to co-operate with any reasonable request from the Sub-Committee of the Board to assist in obtaining such evidence.
5.6 The evidential standard that shall be met when determining any matter in accordance with this policy shall be that adopted in civil proceedings, i.e. on the balance of probabilities.
5.7 The IWF shall inform the Provider of the Sub-Committee of the Board’s decision within ten business days of the hearing and shall provide details of the Sub-Committee of the Board’s reasoning and any proposed sanction sufficient to enable the Provider to make written representations to the Board as the appropriate appellate authority.
5.8 For the avoidance of doubt, if the relevant sub Committee finds that there was no case to answer then no further action shall be taken and the licensee advised.
5.9 If the Sub-Committee of the Board levies one of the remedies and sanctions in 6.2c) or 6.2d) then it may publish its adjudication on the IWF website. However, it shall not publish the adjudication on the IWF website if 6.2a) and/or 6.2b) are levied.
6.1 It is anticipated that most failures of the self certification process can be remedied quickly without the need for formal proceedings (outlined above). However, if a Provider is found to be in Breach after a formal proceeding, the relevant Sub-Committee may decide to impose sanctions on a Provider in order to secure their compliance.
6.2 Remedies and sanctions available to the relevant Sub-Committee are:
(a) Request a formal, written undertaking as to future compliance;
(b) Issue of a warning or reprimand;
(c) Removal from the published list of recipients;
(d) Removal of access to the list (if they are a licencee.)
6.3 When determining the level of any remedy or sanction the relevant Sub-Committee will consider a number of factors that will determine the most appropriate course of action. Recognising that each case is likely to have its own particular features, the factors which the relevant Sub-Committee may take into account include the following:
(a) Whether the Breach was inadvertent, negligent reckless or knowingly an act of commission or omission;
(b) Seriousness of the Breach in terms of detriment to consumers or the wider public interest;
(c) Repetition or regular Breaches or flouting of the rules;
(d) Number of complaints against the Provider regarding its failure to carry out tests;
(e) Impact of the Breach on the integrity of the IWF;
(f) Impact of the Breach on the integrity of the self certification process;
(g) Degree of co-operation with the IWF by the Provider in connection with the identification and rectification of the Breach;
(h) Relevant precedent, although the IWF will not be bound by precedent.
6.4 When the relevant Sub-Committee decides on the sanction or remedy the relevant Sub-Committee shall explain its reasoning. This decision is final.
6.5 IWF can recover reasonably incurred marginal costs of the process from the offending member.
6.6 Reapplication to have the Provider’s name added back to the list on the IWF’s website is subject to the usual consideration process as set out by the IWF Executive.
Self Certificate Text:
“I, <an authorised signatory> of <company>, certify that we currently operate a blocking system based on the IWF URL List and that the system has been tested and reported upon at the following times in accordance with procedures agreed with the IWF:
 Q1 <year> <not tested/failed/succeeded>
 Q2 <year> <not tested/failed/succeeded>
 Q3 <year> <not tested/failed/succeeded>
 Q4 <year> <not tested/failed/succeeded>
I certify that this is a true and accurate statement for the systems over which we have direct control.”
3.2 Obligations of the IWF
Providers can expect the IWF to:
a) Compile and regularly update the URL List and upload it for access by all Providers;
b) Enable secure authenticated access to the URL List to relevant parties engaged in the deployment of filtering solutions for and on behalf of Providers;
c) Inject dummy data into the URL List to assist Providers as necessary to test their systems so they do not inadvertently expose themselves or their associates to potentially criminal child sexual abuse content;
d) Send quarterly reminders to URL List Providers to test their systems;
e) Collate and store in a confidential manner all certificates submitted by Providers;
f) Investigate any alleged breaches arising from public complaints, industry reports and monitoring;
g) Report breaches and other relevant data, as defined at 6.3, to the IWF Board respecting the confidentiality expected by Providers.
#2. Recipients of the list include ISPs, search engines and providers of third party solutions and it is the systems they employ that are being self-tested. http://www.iwf.org.uk/services/blocking.
#3. A flowchart of this process is set out in Annex 2.
#4. The process for this will be determined and agreed between the IWF and each member.
#5. to the Funding Council representative and/or nominated contact (the main reminder will also be sent to a senior contact to ensure the business receives the reminder; the dummy URL details will be sent to the blocking contact only.)
#6. For avoidance of doubt “an authorised signatory” is someone who is authorised to make legal commitments on behalf of the company (e.g. the person who signed the IWF URL List licence agreement.)
#7. It is up to the IWF Board to determine any sanctions that may apply under specified circumstances.