Ofcom's statement on the protection of children: an orientation guide

Ofcom has published multiple documents as part of its Statement on the Protection of Children Online. This note from Prof Lorna Woods provides a guide to their purpose.

Orientation

Ofcom has produced a large number of documents covering the duties on content harmful to children comprising 5 volumes, plus a sixth volume dealing with the further consultation relating to illegal harms and user controls. The first of the volumes is introductory, setting out Ofcom’s approach. Volumes 2-4 map on to obligations placed on Ofcom by the Online Safety Act (OSA) to produce specific documentation (see ss 41 52(3), 53(1), 93 and 98) and contains their justification of regulatory decisions in each case. The fact that the one consultation has covered this range of requirements is part of the reason the documentation is so sprawling. These volumes contain a number of chapters each containing these explanations, plus annexes which detail Ofcom’s response to consultation feedback. The fifth volume contains a number of further Annexes providing more detail on technical matters (though Annex 6 contains discussion of additional measures proposed by stakeholders). Annex 7 contains a glossary.

Vol 6 is not part of the codes and guidance related specifically at all but contain a consultation about expanding some measures in the Illegal Harms Content Codes of Practice about blocking and muting and also disabling comments. The objective of the change is to protect children too.

Finally, and separately, Ofcom has published a range of documents under the heading “Regulatory documents and guidance”. These are the documents which implement the obligations in OSA and to which service providers should have regard.

Identifying Content Harmful to Children and Risk of Harm

The relevant documents are found in Volume 2, together with the three following regulatory documents:

• Children’s Register of Risks
• Children’s Register of Risks Glossary
• Guidance on Content Harmful to Children.
  
  There are two questions addressed through these documents:
• what types of content are in scope (and to which category of content do they respectively belong)?
• How do the characteristics (a term defined in s 98) of the service affect the level of risk of children encountering and being harmed by the content?

The risk register material addresses the second question which the guidance on content harmful to children deals with the first. Together these documents should help services carry out their risk assessment and in understanding whether any of the relevant types of content are present on their respective services (see s 192).

While the OSA lists the types of content that fall within the categories “primary priority content” (s 61) (PPC) and “priority content” (s 62) (PC), s 60 provides a general definition of content that is harmful to children (ie content that is not in the lists of content in s s 61 and 62 but still could be harmful) (NDC). Note the Guidance on Content Harmful to Children (see Chapter 6 in Vol 2) covers only PPC and PC as that is what is required by the OSA (s 58). Ofcom groups the categories of content listed in the Act together in the risk register, as follows: (1) pornographic content, (2) suicide and self-harm content, (3) eating disorder content, (4) abuse and hate content, (5) bullying content, (6) violent content (including content promoting or depicting violence against humans and animals), (7) harmful substances content, and (8) dangerous stunts and challenges content (see Table 1.1 in Guidance on Content Harmful to Children). Note some content harmful to children may well be criminal and as such it is dealt with under the illegal content provisions, though Ofcom has considered the interrelationship between the two categories of content.

Although service providers could work off the definition of NDC in s 60, Ofcom has produced a framework for assessing whether content is NDC (although this is not required by the OSA) and suggested some categories of content that satisfy the definitional test – and which it has refined since the consultation (“body stigma content” and “depression content”). This is explained in Section 1 of risk register and also in Vol 2 (para 4.27, 4.113 et seq).

Ofcom has produced two sets of risk profiles based on the register of harms: one for user-to-user and one for search, each of which contains risk factors associated with that type of service. On the whole the risk profiles remain as they were in the consultation document (Table 5.1 in Vol provides a list of differences between the draft for consultation and the final version for user-to-user; no changes were made for search). In discussing its risk profiles, Ofcom notes that they are not intended to provide all answers in all circumstances ; they are a starting point and an aid to services, each of which needs to think about the specificities of their own service(s) when carrying out their risk assessments. While some factors will be relevant to all services (user base age, other user base demographics, business model and commercial profile), some will have a more limited applicability depending on the nature of the service.

Risk Assessment

In addition to the explanatory statement in Vol 3, Ofcom has published the following statutory document: Children’s Risk Assessment Guidance and Children’s Risk Profiles. Ofcom also republished its Guidance on Children’s Access Assessments (originally published in January 2025).

As well as explaining Ofcom’s approach to the Risk Assessment Guidance, in Vol 3 Chapter 7 Ofcom details the links between risk governance (on which there are requirements in the Codes) and the risk assessment process. Chapter 8 then discusses the approach to the Children’s Risk Assessment Guidance with the Guidance itself published separately. Note the children’s duties apply if a service is likely to be accessed by children; Ofcom has already published Guidance on the Children’s Access Assessments (16 January 2025) to help services determine if the children’s duties apply to them. Ofcom maintains its four-step risk assessment process, which it has tried so far as possible, to align with the approach taken to the Illegal Harms Risk Assessment Guidance and sets out how it understands the requirement in OSA that a risk assessment be “suitable and sufficient” (see 8.113 et seq), though it has introduced some further clarifications by comparison with the consultation version (see explanation at 8.160-162). There are specific references to consultation of Ofcom’s risk profiles, assessing NDC (discussion at 8.180 et seq) and giving separate consideration to children in different age groups (see 8.165 et seq for discussion), as these are all specifically required by OSA. The risk assessment is based on risk of harm occurring – and harm is defined by the OSA. It specifically envisages the possibility of harm arising through the accumulation of content (either the same content repeatedly or some content in conjunction with other content) (see s 234). This is referred to as cumulative harm. S 234 also envisages the possibility of “indirect harm”. The risk assessment guidance considers both of these aspects, outlining that cumulative harm is part of the OSA’s understanding of harm and should therefore be considered as such in a risk assessment. Given service providers are required to keep the risk assessment up to date, especially on the occurrence of a significant change, Ofcom has outlined what this means (see 8.137 et seq) and again there are parallels with the approach taken with regard to illegal harms. Service providers are also required to keep records of the process (see ss 23 and 34) and the Guidance covers this too.

Mitigation of Harm

Volume 4 is a substantial one comprising 13 chapters though the first two chapters provide an overview and framework. The final two chapters discuss the impact assessment and the statutory tests for inclusion of measures respectively. The remaining chapters look at specific mitigation techniques, looking in some instances at user-to-user and search separately. They are:

• governance and accountability
• terms of service (user-to-user services) and publicly available statements (search) – required by OSA
• Age assurance – required by OSA
• Content moderation for user-to-user – required by the OSA
• search moderation
• user reporting and complaints – required by the Act
• recommender systems on user-to-user services
• user support
• search features, functionalities and user support.

Ofcom has also produced the following statutory documents:

• DRAFT Protection of Children Code for Search Services
• DRAFT Protection of Children Code for User-to-user Services.

Note these are shown as draft because although Ofcom has finalised the codes, they still need to be approved by Parliament.

Ofcom has also (re)published its Guidance to Highly Effective Age Assurance. This was originally published in January 2025 and tries to ensure that the approach to highly effective age assurance is aligned between Part 3 providers and Part 5 pornography providers.

As with the other documentation, Ofcom has mainly maintained its position set out in the consultation documents. The aim of the code is to ensure a higher level of protection for children than adults as set out in the OSA (s 1(3)(b)(i)). Ofcom has provided an index of the measures in Section 3 of the codes with more detail as to each of the measures in separate successive sections. Definitions are found in section 5 of the Codes and these include cross referencing to statutory definitions and ideas found in other Ofcom documents (eg how Ofcom has defined highly effective age assurance).

Ofcom is also consulting (in Volume 6) on expanding the measures in the Illegal Content Harms Code to include measures relating to user blocking and muting and disabling content, to align with provisions in the Children’s Code. Currently the Illegal Content Harms Code only applies these measures to larger services; the proposal would extend the obligation to certain smaller services.