Online Safety Act: What you need to know about Illegal Content Risk Assessments

In stage 1, services must determine the types of illegal content likely to be found on their service. This can be a particularly tricky assessment as there are 130 Priority Offences listed in the OSA, which services must consider when completing an ICRA. To assist with this assessment, Ofcom's guidance narrows the 130 Priority Offences into 17 categories which it refers to as "priority illegal content".  

The guidance requires services to consider for each category of priority illegal content: 

• The risk of users encountering the content; and 
• The risk of the service being used to facilitate or commit a Priority Offence (user-to-user services only). 

Services are also required to assess the risk of encountering other illegal content, not included in the 17 categories, and if illegal content is identified, complete the same consideration of risk. 

Once services have identified the risk of encountering illegal content, they must identify the risk of harm which may occur. Ofcom's guidance provides Risk Profiles, which identify risk factors associated with Priority Offences, to assist services with determining harms that could arise on their service. Ofcom is clear in its guidance that these lists are not exhaustive, and there should be consideration of other harms and risks when completing an ICRA. 

The considerations to be made for user-to-user services are slightly more onerous than for search services, as they must also consider specific types of Child Sexual Exploitation and Abuse (CSEA) and Child Sexual Abuse Material (CSAM) and the risks associated with this content. 

Following the completion of stage 1, services should have identified illegal content that may be present on their service and the risk factors which relate to them. In stage 2, services should utilise the list of illegal content and risks of harm identified by their risk factors, and assess the level of harm presented by the service for each of these. 

Consideration should be given to: 

• Existing controls in place to reduce risk of harm; 
• Evidence of risk of harm on the service from existing records; and 
• Characteristics and functions of the service which might increase the risk of harm. 

Services should assess each category of illegal content identified in stage 1 as being reasonably believed, or otherwise likely, to be on the service, individually to ascertain the risk of harm. Ofcom has provided General Risk Level Tables in its guidance to assist with this assessment. During this stage, services should also assess and evaluate the likelihood and impact of harm for each category of illegal content identified in stage 1 by assigning each category a risk level. 

CSAM and CSEA content has specific Risk Level Tables within the guidance, and user-to-user services should give special consideration to ensure that risk of harm is suitably assessed. 

To assist with the gathering and analysis of evidence, Ofcom provides a list of "inputs" within its guidance which are indicative of the types of evidence to be relied upon during the completion of an ICRA. As with the other reference tables provided by Ofcom, these lists are not exhaustive and services are encouraged to consider other sources of evidence when completing their ICRA. 

Once the level of risk and harm has been identified by stage 2, services should determine appropriate measures that need to be taken to mitigate and reduce the risk of harm. 

Services should refer to the Illegal Content Codes of Practice, which outline recommended measures for services based on their size, function and/or risk level. Some measures in the Codes of Practice are applicable to all services, while others will be relevant only to certain types of risk identified in stage 2. The Codes of Practice operate as a "safe harbour", so if a service chooses to implement all applicable measures set out in the Codes of Practice, they will be considered to have complied with their duties under the OSA by Ofcom. 

Services are not obligated to follow the Codes of Practice, and can choose to implement alternative measures. Ofcom guidance encourages services to implement measures in addition to those contained in the Codes of Practice, where they consider it suitable to do so. The guidance is keen to remind services that any measures taken should not infringe on a user's right to freedom of expression, or violate privacy or data protection laws. 

Where mitigation or other measures are undertaken, services should keep a record of these measures, and explain how these reduce or mitigate harm and comply with the OSA duties. 

Once an ICRA is completed, a written record must be kept and reported internally to ensure appropriate governance.  

Where services are a Category 1 or 2A service, they must also share a copy of their ICRA with Ofcom, as soon as practicable after completion or revision. Category 1 services must include a summary of the ICRA in their Terms of Service. Category 2A services must include a summary of the ICRA in a publicly available statement. Category 1 and 2A services are typically large providers, with more than seven million UK users and either allow user to user content, have a content recommender system, or are a search service.  

The effectiveness of implemented measures also needs to be monitored and adjusted where necessary. The outcome of monitoring should assist with keeping the ICRA up to date, as it will need to be reassessed on an annual basis, or where there is a significant change to the service, which could impact the ICRA that has already been carried out. Significant changes include adjustments to the service's design or operation, new evidence regarding the risk of harm to children, or new evidence of an increase in the number of children using the service.