What is it?
- Assessing risks for victim identification, offender targeting and to mitigate against technology infrastructure and broader online risks.
Why is it important?
- Children face a range of individual and combined risks[1], including those relating to sexual exploitation and abuse, when interacting in digital environments. The risks can manifest online and offline and come from a range of actors. Systematic and coordinated identification, assessment, management and mitigation of all risks is crucial to strengthening the safeguarding of children online and offline and to reducing the possibility of unintended (or intended) harms coming to life.
- Risk management is standard good practice in (offline) project management and operations. Therefore, all actors planning, delivering, supporting, strengthening and advocating to change a specific online or digital project should also identify and manage the associated risks.
How can it be implemented?
- Technologies and behaviours can change and issues can emerge and change over time. To reflect the shifting environment, all actors should have a clear risk assessment template enabling them to assess, re-assess and add risks on a systematic basis. A thorough risk assessment process includes:
- Defining and agreeing risks;
- Identifying online and offline risks, including data and privacy-related risks;
- Assessing the likelihood and severity of those risks (e.g. scale 1-5);
- Identifying measures to avoid, eliminate, mitigate and manage risks;
- Re-assessing the likelihood and severity of those risks with mitigation measure in place;
- Documenting measures that are needed, associated responsibilities and timeframe; and
- Reassessing risks at set timeframe.
- Risk assessments can be separated into broad areas/themes for analysis including: content risks; contact risks; conduct risks; and contract (or commercial) risks; excessive use risks and societal risks. Analysis should also cover perpetrator tactics/techniques, vulnerability scans, penetration testing and at-risk focus. Intersectional analysis is advised where possible and where not against confidentiality or privacy legislation.
- Input from stakeholders with varied expertise (e.g. technology engineers, criminal justice staff, and child protection professionals) across organisations, sectors and countries will strengthen the risk assessment quality.
Further resources:
- A guide for tech companies considering supporting the Voluntary Principles to Counter Online Child Sexual Exploitation and Abuse (2021) WePROTECT Global Alliance members ((Facebook, Google, Microsoft, Roblox, Snap and Twitter).
- 5Rights Foundation (2019), Towards an Internet Safety Strategy (see p5 for risk analysis).
- Girl Effect (2018), Digital Safeguarding Tips and Guidance.
- Information Commissioners Office (2018), Consultation: GDPR DPIA Guidance.
- Internet Watch Foundation (2018), Trends in Online Child Sexual Exploitation: Examining the Distribution of Captures of Live-Streamed Child Sexual Abuse.
- SafeToNet Foundation, App Risks.
- Telecommunication Development Sector (ITU-D) (2020), Child Online Protection Guidance note, Separate documents available in different languages for children; parents; industry; and policy makers.
- WePROTECT Global Alliance (2019), Global Threat Assessment 2019: Working Together to end the sexual exploitation of children online.
Australian eSafety Commissioner, Industry self-assessment tools
[1] Risk is defined here as a chance or possibility that an individual will be harmed.