Thanks. Yes they sent the API documentation. It would need a programmer. And yes it's purely to avoid the child risk assessment stage. Probably not difficult for some people - personally I would need a programmer.
UK Online Safety Regulations and impact on Forums
- Thread starter lazy llama
- Start date
-
- Tags
- regulation
I've shared the API documentation with @chillibear but thought they may not be too impressed if I posted it publicly - possibly. It mentions a "Postman workspace" and that their API is designed to be used in two environments. A sandbox environment and a production environment. All greek to me 
Isn't the child risk assessment supposed to be done by 16th April? I suppose I may have to attempt it but don't want to. I'd rather just verify over 18's only but it seems like a rock and a hard place! If I did a child risk assessment, the forum would be very dumbed down. No DM's, no videos. No researched articles that link to "evidence".
Edit - it's childrens access assessment that has to be done by 16th April.
"According to the Children's Access Assessments Guidance, regulated providers have until 16 April 2025 to complete their first children's access assessment. Regulated providers will need to comply with the children's safety duties under the OSA, and Ofcom will commence enforcement against non-compliance, from July 2025"
From that link
"
For the purpose of the OSA, a 'child' is a person under the age of 18 (OSA s236). The term 'content that is harmful to children' is defined under section 60 of the OSA.
Content that is harmful to children means:
It's the "non designated" bit that gets me!
Edit - it's childrens access assessment that has to be done by 16th April.
"According to the Children's Access Assessments Guidance, regulated providers have until 16 April 2025 to complete their first children's access assessment. Regulated providers will need to comply with the children's safety duties under the OSA, and Ofcom will commence enforcement against non-compliance, from July 2025"
From that link
"
What is 'content that is harmful to children'?
For the purpose of the OSA, a 'child' is a person under the age of 18 (OSA s236). The term 'content that is harmful to children' is defined under section 60 of the OSA.
Content that is harmful to children means:
- primary priority content that is harmful to children;
- priority content that is harmful to children; or
- content, not within paragraphs (a) or (b), of a kind which presents a material risk of significant harm to an appreciable number of children in the UK (i.e. non-designated content that is harmful to children). "
It's the "non designated" bit that gets me!
Last edited:
"“what constitutes a significant number of children for the purposes of a children’s access assessment is likely to depend highly on the nature and context of your service, taking into account a number of factors and characteristics”. Ofcom advises that providers should “err on the side of caution”
www.wiggin.co.uk
Sorry if I've posted it before but this is the Ofcom guidance for the child assessment that needs to be done by 16 April
Children’s Access Assessments: Ofcom issues guidance - Wiggin LLP
Ofcom has published guidance on Children’s Access Assessments, meaning that in-scope user-to-user and search service providers will have until 16 April 2025 to complete them. Under the Online Safety Act 2023, regulated services must carry out a Children’s Access Assessment to determine whether...
www.wiggin.co.uk
chillibear
Well-known member
Not that I think it helps much, but I think they are often trying to do more like 25+ (although the OnlyFans one seemed to be 20+, 21+ and 23+ at various points from the Ofcom ruling). Still I guess a well trained AI is probably no worse than whoever is behind the till at your local off-licence!
As an aside I do wonder who is underpinning so many of these companies - the face scanning stuff is all very similar (maybe it just has to be) and they always support 200 countries for document ID. I do wonder if there are some big players under the hood that actually are doing the heavy lifting? Total speculation on my part mind you.
My Shufti trial has (hopefully) not started since I've heard nothing from them since my meeting last week. I must give Luciditi a shout to see what that all looks like.
Yes the assessment should have been done - the "kids yes or no" as it could be called. The Risk Assessment documentation has not been published (although there is a draft from the consultation which gives an idea). It should end up on this page I think: https://www.ofcom.org.uk/online-saf...nt/quick-guide-to-childrens-risk-assessments/ the draft guidance is linked to from that page. They say three months from publication to complete it (the risk assessment).
From the guidance
"We anticipate that most Part 3 services that are not using highly effective age assurance are
likely to be accessed by children within the meaning of the Act.4"
Part 3 services includes user to user so basically everyone who doesn't have age verification has to do a child access assessment
"You may already have assessed whether a service is likely to be accessed by children as set
out in the ICO’s Children’s code for the purposes of complying with data protection
regulation.5 Please note that the requirements of data protection law are different, and you
will need to carry out a separate children’s access assessment, although you may be able to
draw on similar evidence and analysis for both"
Didn't even know about needing an assessment for ICO!
You then have to carry out a "Children's Risk Assessment".
Edit: Posted at the same time as @chillibear
"We anticipate that most Part 3 services that are not using highly effective age assurance are
likely to be accessed by children within the meaning of the Act.4"
Part 3 services includes user to user so basically everyone who doesn't have age verification has to do a child access assessment
"You may already have assessed whether a service is likely to be accessed by children as set
out in the ICO’s Children’s code for the purposes of complying with data protection
regulation.5 Please note that the requirements of data protection law are different, and you
will need to carry out a separate children’s access assessment, although you may be able to
draw on similar evidence and analysis for both"
Didn't even know about needing an assessment for ICO!
You then have to carry out a "Children's Risk Assessment".
Edit: Posted at the same time as @chillibear
"
All Part 3 services that are ‘likely to be accessed by children’ must:
• carry out children’s risk assessments (for more details, see [Children’s Risk
Assessment Guidance]9); and
• take steps to comply with the relevant safety duties protecting children (for more
details, see [Protection of Children Codes]10)."
This then leads to two other lengthy documents you have to assess - the child risk assessment guidance and the Protection of Children Codes
www.ofcom.org.uk
I just find I don't have enough time in the days to read all these lengthy documents.
All Part 3 services that are ‘likely to be accessed by children’ must:
• carry out children’s risk assessments (for more details, see [Children’s Risk
Assessment Guidance]9); and
• take steps to comply with the relevant safety duties protecting children (for more
details, see [Protection of Children Codes]10)."
This then leads to two other lengthy documents you have to assess - the child risk assessment guidance and the Protection of Children Codes
Consultation: Protecting children from harms online
Our proposals for how internet services should approach their new duties relating to content that is harmful to children.
I just find I don't have enough time in the days to read all these lengthy documents.
Also from the link in the post above
"Regarding stage 1 of the assessment, providers are only entitled to conclude that it is not
possible for children to access the service if they are using age verification or age estimation
(“age assurance”) with the result that children are not normally able to access the service."
"A child is any person under the age of 18. References to children are to children in the
United Kingdom."
So it sounds like you only have to consider Uk children.
"Regarding stage 1 of the assessment, providers are only entitled to conclude that it is not
possible for children to access the service if they are using age verification or age estimation
(“age assurance”) with the result that children are not normally able to access the service."
"A child is any person under the age of 18. References to children are to children in the
United Kingdom."
So it sounds like you only have to consider Uk children.
Mr Lucky
Well-known member
You can already do this. I don't because of the huge server space and the likelihood of copyright stuff.
benFF
Well-known member
I don't think this is as complicated as you're making out.
The diagram is pretty simple
Whilst we all answer yes for stage one, a lot of forums can easily answer no to both questions in stage two and thus not need to do a child assessment.
It even gives a load of forums as examples at the end of the document.
If your forum is unlikely to be of interest to children, all you need to do is log the date, your reasoning of how you reached that conclusion.
I'd say automotive forums are pretty safe there, but I can see why a hamster forum might fall foul.
Then we just keep it filed? Do we have to actually submit anything anywhere?
The diagram is pretty simple
Whilst we all answer yes for stage one, a lot of forums can easily answer no to both questions in stage two and thus not need to do a child assessment.
It even gives a load of forums as examples at the end of the document.
If your forum is unlikely to be of interest to children, all you need to do is log the date, your reasoning of how you reached that conclusion.
I'd say automotive forums are pretty safe there, but I can see why a hamster forum might fall foul.
Then we just keep it filed? Do we have to actually submit anything anywhere?
chillibear
Well-known member
I think rather got stuck on "significant" at least on the assessment I had to do - Ofcom don't seem to really say if it's significant in terms of your numbers - so you have say 100 active users and 5 children - is that significant or does it need to be 30 children. Or is it significant in raw numbers - so do I need 10,000 children using the site or 30,000 or some other number? I'm not sure I quite got a feel for really what they were thinking. Although in the risk assessment stuff their examples where risks are low are often still talking quite significant numbers, I had to redo my risk assessment after I was too pessimistic and then later properly read the case studies. Maybe I should go back and re-read it again with a view to the children's' access assessment take 2... probably worth it.
I don't from experience believe on the smaller forum I look after there are many if any children - the youngest person I've spoken to where I know there age was 20, most are 45-60, we might have the odd ~16+ I suspect. However I don't know I can prove that the larger numbers of dormant accounts are not children waiting like little landmines for the unwary to step on! Also is the site attractive to children - well it's nostalgic for the oldies, but it obviously therefore did attract us as children 30-40 years ago. So I guess in theory "yes", but the content is old(ish) farts talking geek (so possibly not generally) ... so on the side of caution I've felt I probably do have to concede we may have children using the site or could have because I can't prove otherwise and my nature tends to be cautious. Someone else may well be more robust take the opposite view - which I am sure is the reality - I just don't have any hard evidence to backup my gut.
Still yes in essence if you are happy to say nope and justify it then you don't need to do the upcoming children's risk assessment.
I don't from experience believe on the smaller forum I look after there are many if any children - the youngest person I've spoken to where I know there age was 20, most are 45-60, we might have the odd ~16+ I suspect. However I don't know I can prove that the larger numbers of dormant accounts are not children waiting like little landmines for the unwary to step on! Also is the site attractive to children - well it's nostalgic for the oldies, but it obviously therefore did attract us as children 30-40 years ago. So I guess in theory "yes", but the content is old(ish) farts talking geek (so possibly not generally) ... so on the side of caution I've felt I probably do have to concede we may have children using the site or could have because I can't prove otherwise and my nature tends to be cautious. Someone else may well be more robust take the opposite view - which I am sure is the reality - I just don't have any hard evidence to backup my gut.
Still yes in essence if you are happy to say nope and justify it then you don't need to do the upcoming children's risk assessment.
chillibear
Well-known member
Now that is interesting especially if using age-verification as a "feature filter" rather than to gate keep who has access to the site full stop. So as long as I kept the poor UK kids safe I can throw the rest to the wolves!
Well in my case I would honestly have to say yes. The site has photos of hamsters so could attract children (second part of second screenshot). For the first part of the second screenshot. Can you prove you don't have significant numbers of child users? Eg I had 850 members registered, only a handful posted regularly, the rest were followers, spammers or people who only signed up to read an article. I wouldn't know how many of those were children because the site didn't have age verification software.
So having read the Child Access Assessment guidance I have concluded that both Stage 1 and Stage 2 are needed, meaning it's necessary to do the Child Risk Assessment also. UNLESS you have Ofcom approved age verification software.
The actual Child Access Assessment is not difficult or time consuming to do - you just have to assess whether it is just stage 1 or stage 1 and 2. It's the Child Risk Assessment that I think could be the big one and that hasn't been published yet I think? Has it?
That screenshot of yours above, the second box is either/or. So if either of those two examples apply (of interest to children or significant users who are children) applies then the Child Risk assessment applies to your site.
Personally it was the initial risk assessment I got stuck on, using Ofcom's downloadable record-keeping template. It was tedious to complete but did make you consider all possible risks along the way.
However I got stuck at the end as didn't understand the last three pages (plus there was still a "written policy" to do as well.
It's downloadable, and looks like a word document but has some extra elements to it, so you can't save it as a separate word document, upload it anywhere (eg on here) or even print as pdf. So the best I can do is add some screenshots. because I had no idea what was expected in the last few sections (after completing all the sections about the 17 risks and how they were mitigated and what evidence there was).
It still does my head in just looking at it. I don't even understand some bits.
However I got stuck at the end as didn't understand the last three pages (plus there was still a "written policy" to do as well.
It's downloadable, and looks like a word document but has some extra elements to it, so you can't save it as a separate word document, upload it anywhere (eg on here) or even print as pdf. So the best I can do is add some screenshots. because I had no idea what was expected in the last few sections (after completing all the sections about the 17 risks and how they were mitigated and what evidence there was).
It still does my head in just looking at it. I don't even understand some bits.
Attachments
You still need to have a document saved I think, called Child Access Assessment. Even if you decide children aren't attracted to your site and you don't have a significant number of child members. You still need to do the Child Access Assessment explaining how you've ascertained that etc.
"
All Part 3 services must complete a children’s access assessment. Your children’s access
assessment will help you work out if your service, or part of your service, is likely to be
accessed by children. You can find our guidance about children’s access assessments in
Annex 5 of this consultation."
There's also this bit in the current Child Risk assessment guidance: 
"Harm also includes indirect harm, in which children are harmed or the likelihood of harm
is increased, as a result of another individual who views the content (by them doing or
saying something to that other child as a result of viewing the content)"
Which presumably also applies to priority harms such as bullying and hate speech. So if an adult reads or sees something harmful they could say something about it to a child and you're responsible?!!
"Harm also includes indirect harm, in which children are harmed or the likelihood of harm
is increased, as a result of another individual who views the content (by them doing or
saying something to that other child as a result of viewing the content)"
Which presumably also applies to priority harms such as bullying and hate speech. So if an adult reads or sees something harmful they could say something about it to a child and you're responsible?!!
Mr Lucky
Well-known member
I saw that and wondered how in one sentence they refer to another individual and the next sentence as “that other child” as if the editor decided to change child to individual, but missed the second sentence.There's also this bit in the current Child Risk assessment guidance:
"Harm also includes indirect harm, in which children are harmed or the likelihood of harm
is increased, as a result of another individual who views the content (by them doing or
saying something to that other child as a result of viewing the content)"
Which presumably also applies to priority harms such as bullying and hate speech. So if an adult reads or sees something harmful they could say something about it to a child and you're responsible?!!
It’s garbage.
Any tips on that record-keeping document above? I used it as my risk assessment. The first few pages were ok - each risk was listed and you filled in the boxes underneath as to whether it was low risk or whatever, then what possible risks were and how you mitigate them and what evidence you have. I put virtually the same for all categories. Low risk, explained the type of site. Only real risk is from spam links - what spam prevention and moderation was in place. Then you get to the end and there's all that stuff! Which is where I got stuck.
Copy and paste which bit from where? So is it saying that at the end you have to write it all out again and show what you;ve done and plan to do to mitigate risks?
Also I don't like the document as it seems to have some kind of power all of it's own and be linked to something! So can't be copied or shared. It's like it's still connected to the Ofcom site and maybe they can read it!
It's also like the worst exam paper ever!
Copy and paste which bit from where? So is it saying that at the end you have to write it all out again and show what you;ve done and plan to do to mitigate risks?
Also I don't like the document as it seems to have some kind of power all of it's own and be linked to something! So can't be copied or shared. It's like it's still connected to the Ofcom site and maybe they can read it!
It's also like the worst exam paper ever!
Last edited:
I don't think they know what a "smaller service" is! One man band doesn't have a senior manager.
"Where possible, we recommend that you consider reporting your children’s risk assessment outcomes and online safety measures to a relevant internal governance body to review. Smaller services are less likely to have formal organisational governance structure such as oversight boards or internal assurance functions. However, you can still improve the oversight of risks by reporting to a senior manager with responsibility for online safety duties for risk of harm to children."
www.ofcom.org.uk
"Where possible, we recommend that you consider reporting your children’s risk assessment outcomes and online safety measures to a relevant internal governance body to review. Smaller services are less likely to have formal organisational governance structure such as oversight boards or internal assurance functions. However, you can still improve the oversight of risks by reporting to a senior manager with responsibility for online safety duties for risk of harm to children."
Quick guide to children’s risk assessments: protecting children online
This page summarises proposals we are consulting on – we will update this information when final documents are in place. Please note that this quick guide is intended to introduce your children’s risk assessment duties. Our guidance will set out your legal responsibilities in full.
Anyway, having read the 70 odd pages of Child Risk assessment guidance, it still doesn't exactly tell you how to create a child risk assessment document. I wanted to see how much work it involved in case age verification goes nowhere. Most of the work seems to be reading the document. Which to me, still isn't clear exactly how you produce a Child Risk Assessment.