How we are approaching online safety risk assessments
At the time of writing, the Online Safety Bill has reached the Committee Stage in the House of Lords. Many details of the legislation – including proposed amendments – are still being debated. But it’s clear that the regime will require services in scope of the regulation to better understand the risk of users encountering illegal content, or content harmful to children online. Today we have published a discussion document on Ofcom’s planned approach to risk assessments (PDF, 355.0 KB).
As currently drafted, the Bill will require all regulated firms to do a risk assessment of illegal content that may appear on their service, ranging from online fraud to terrorism. Services that are likely to be accessed by children will also have to do a risk assessment concerning content which is harmful to children. This is likely to include material such as pornography and content which promotes eating disorders.
While it’ll be up to online services to do their own assessments, our role as the future regulator is to provide them with guidance. We expect this to explain what content they’re required to focus on, how harmful content might appear on their services, and good risk management practice as a fundamental part of service design and organisational culture. This links to strong governance, and we will advocate for risk assessments and risk management to be owned at the most senior levels.
Guidance that works for online services big and small
A huge range of services will be in scope of the regime, from one-person microbusinesses to global tech giants. It’s important that our approach to risk assessment guidance accounts for that and does not place an unnecessary burden on smaller or less-resourced businesses.
While there is no one-size-fits-all approach, based on our research and analysis we consider that the following four-step process to risk assessment can be applied by services of all types and sizes:
Step one: Establish the context
Establish the risks of harm that need to be assessed. Consult the risk profiles produced by Ofcom, which set out our assessment of key risk factors, and identify any gaps in your understanding and evidence.
Step two: Assess the risks
Review evidence about your platform and your risks. Assess the likelihood of harmful content appearing and the severity/impact of harm. In addition, evaluate existing mitigating measures.
Step three: Decide measures and implement
Decide how you will comply with the safety duties, including through Ofcom's Codes of Practice. Identify and measures you need to implement. Record the outcomes of the risk assessment. Implement any new measures.
Step four: Report, review and update
Report via relevant governance structures. Monitor the effectiveness of your mitigation measures. Put in place regular review periods for your assessments, recognising any triggers to revisit assessments between these periods.
Our guidance will also cover the kind of evidence we think services should consider in their risk assessments. An important duty is that these assessments are suitable and sufficient. For some, that will mean focusing on materials that Ofcom provides and any relevant data they hold. Others – especially larger services – are likely to have more mature measures and metrics in place for assessing risks of harm to users and the effectiveness of their protections. We will expect these services to do more to ensure their assessments are robust and accurate.
International co-operation and next steps
We’re conscious that services will also need to comply with risk-related obligations in different legal jurisdictions – for example, under the EU’s Digital Services Act. So we are working with services and our regulatory counterparts abroad to improve international coherence around risk assessments for online safety.
We’ll launch our first consultation on our approach to illegal content risk assessments as soon as we can after our powers commence. A separate consultation on children’s risk assessments will follow.
We’ll then issue a statement to finalise our first set of risk assessment guidance on illegal content, and services will be required to carry out their first illegal content risk assessments within three months of its publication.
For more detail on our planned approach to risk assessments and what that means for regulated services, head to our full discussion document (PDF, 355.0 KB).