Quick guide to children’s risk assessments: protecting children online
This page summarises proposals we are consulting on – we will update this information when final documents are in place. Please note that this quick guide is intended to introduce your children’s risk assessment duties. Our guidance will set out your legal responsibilities in full.
Services likely to be accessed by children will be required to carry out Children’s Risk Assessments under the Online Safety Act. Our Children’s Risk Assessment Guidance (PDF, 1.0 MB) (which we are consulting on) will help you do this. Please note that our proposals may change as a result of consultation.
If your service is likely to be accessed by children you will need to do a children’s risk assessment in future
This duty will come into force once Ofcom has published our final guidance on children’s risk assessments, which we expect to do in spring 2025. From then, you’ll have three months to complete your first children’s risk assessment.
The children’s risk assessment is a separate duty to the illegal content risk assessment. All service providers in scope of the Act will have to complete an illegal content risk assessment, and also a children’s risk assessment if you are likely to be accessed by children. We have already consulted on our draft Illegal Content Risk Assessment Guidance.
You don’t need to do anything right now, but we’ve suggested some steps to help you get ready.
What you can do now
Read more about risk assessments in our draft guidance to understand what you may need to do in the future.
Follow our proposed four-step risk assessment process
Our draft guidance sets out four steps to help you complete your children’s risk assessment. There is no one-size-fits-all approach, but we propose that these steps can be used by services of all types and sizes. We have proposed broadly the same four-steps as in our draft Illegal Content Risk Assessment Guidance to help services who have to comply with both sets of duties.
Step one: Understand the harms
You’ll need to:
- Identify the kinds of content harmful to children that need to be assessed
- Take into account a list of risk factors we have published
Our draft guidance sets out each kind of content harmful to children (PDF, 3.6 MB) that you need to assess separately. You should also consider how aspects of your service design or features and functionalities which affect use may impact the level of risk of harm suffered by children on your service.
We have published a draft list of risk factors –such as features including direct messaging and recommender systems - that you need to consider whether they apply to your service. For each risk factor, we explain how they could increase the risk of content harmful to children being encountered. This short-list of risk factors is called Ofcom's ‘Children's Risk Profiles’.
What you can do now
Get more familiar with online harms and what makes them more likely by reading our draft Children’s Risk Profiles within our Children’s Risk Assessment Guidance.
Step two: Assess the risk of harm to children
You’ll need to:
- Consider any other characteristics of your service that may increase or decrease risks of harm
- Assess the likelihood and impact of each kind of content harmful to children
- Consider how the design of your service may affect how much children use your service and the impact this could have on the level of risk of harm
- Consider the risk of cumulative harm
- Assign a risk level for each kind of content harmful to children
Once you understand the different kinds of content harmful to children and have a list of risk factors from Ofcom, it’s time to assess what this means for your specific service.
You need to consider any other characteristics that may increase or decrease risks of harm to children, including the risk of children experiencing cumulative harm. You should consider your user base, design features, algorithmic systems, your business model, any user protection or risk mitigation measures, and other relevant aspects of the service’s design and operation, and the way it is used to make this assessment. You should gather evidence about your service – our draft guidance includes a recommended list including user report and complaints, for example. Our guidance also includes information about how you might assess the risks to children in different age groups on your service.
Based on this information, you should decide how likely it is that children could encounter content harmful to children on your service and what the impact could be. This will help you decide whether each kind of content harmful to children is low, medium or high risk. Our draft guidance provides more information on how to make these judgements.
What you can do now
Think about your service, what its features are, and what evidence you need about risks of harm.
Step three: Decide measures, implement and record
You’ll need to:
- Decide on the appropriate online safety measures for your service to reduce risk of harm to children
- Consider any additional measures that may be appropriate on your service to protect children
- Implement all safety measures
- Record the outcomes of the children’s risk assessment
Next, you need to decide how to address the risks you have identified – this is part of your related children’s safety duties under the Act. One way to meet your duties is to apply the relevant safety measures set out in Ofcom’s Children’s Safety Codes (currently subject to consultation), such as measures around content moderation, reporting and complaints, default settings and user tools.
You will then need to implement all measures to mitigate and manage risks of harm to children and record the outcomes of the children’s risk assessment. We have provided draft guidance on what your record needs to include.
What you can do now
Look at the quick guide to our draft Children’s Safety Codes, which summarises the safety measures that different services may need to use.
Step four: Report, review and update risk assessments
- Report on the risk assessment and measures via relevant governance channels
- Monitor the effectiveness of mitigation measures
- Review (and update) your risk assessment
Where possible, we recommend that you consider reporting your children’s risk assessment outcomes and online safety measures to a relevant internal governance body to review. Smaller services are less likely to have formal organisational governance structure such as oversight boards or internal assurance functions. However, you can still improve the oversight of risks by reporting to a senior manager with responsibility for online safety duties for risk of harm to children.
To keep your children’s risk assessment up to date, our proposals recommend reviewing it annually. You also need to review your assessment if Ofcom makes a significant change to the Children’s Risk Profiles. If you are planning to make a significant change to your service, you need to do a new children’s risk assessment before making the change. Our draft guidance covers this in more detail.
What you can do now
Give someone responsibility for getting your business ready for the new Online Safety duties and the children’s risk assessment you’ll need to do in future.
For full details, you can read our draft Children’s Risk Assessment Guidance (PDF, 1.0 MB) and respond to our consultation. If you have views on our proposals, we’d love to hear from you.