Ofcom’s consultation on preserving child data — what you need to know

From 30 September 2025, Ofcom gained new powers to issue Data Preservation Notices ("DPNs") to service providers when a child’s death is under investigation by a coroner. These notices are designed to prevent the deletion or alteration of relevant data before a formal request is made via a Coroner Information Notice ("CIN") under the Online Safety Act 2023.

Why this matters

The consultation and the new powers under the DUAA will have direct implications for regulated services (i.e. user-to-user services and search services), especially those with a significant child user base. Businesses operating platforms that allow user-generated content or provide search functionality may be subject to urgent data preservation obligations, with criminal liability for non-compliance.

The act of deleting or altering data covered by a DPN (where the intention is to prevent its availability for a coronial investigation) is a criminal offence. This means in-scope service providers must have robust systems in place to respond quickly and effectively to DPNs.

What’s changing?

Under the DUAA, Ofcom must issue a DPN when a coroner is investigating the death of a child. The coroner will provide Ofcom with:

• the child’s name;
• date of birth;
• known email addresses; and
• the name of any relevant regulated service

Upon receiving a DPN, the service provider must take all reasonable steps, without delay, to prevent deletion or alteration of relevant data. Ofcom’s proposed guidance outlines a standard list of data categories to be preserved, allowing for rapid issuance of DPNs.

For user-to-user services, this includes:

• content (including direct messages, comments, reactions, etc.) that the child user has either uploaded, generated or shared on the service, or encountered by means of the service;
• metadata associated with that content, e.g. time, date, account details of a user who uploaded, generated or shared content encountered by the child, how long a child paused on content, etc;
• any search requests entered by the child to locate content on the service (and metadata associated with those requests e.g. date/time); and
• possibly, friend/connection lists and channels that the child followed.

For search services:

• search requests entered by the child;
• the content shown to the child in response to each search request. This includes the search results shown to the user on the pages of results that they visited and any images, warnings, supportive messaging or AI-generated content shown to the user; and
• metadata associated with the above e.g. the time and date of each search request, details of each search result that the user clicked on.

DPNs will require data to be preserved for one year, with the possibility of any number of extensions in six-month increments. Service providers must respond by confirming either:

• the steps taken to preserve the data; or
• that the child did not use the service or no relevant data is held.

What’s new in Ofcom’s proposed approach?

Ofcom propose that, unlike CINs, DPNs will not be issued in draft form due to the urgency of preservation. This means service providers may be required to act immediately, without prior clarification or engagement with Ofcom. However, the DUAA allows providers to respond confirming that the child did not use the service or that no relevant data is held, which serves a similar function to a draft stage.

Beyond what is required through the DUAA, Ofcom also proposes:

• referring to additional optional information that coroners may provide to Ofcom as part of the DPN process e.g. mobile numbers or usernames;
• as set out above, defining a standard set of data categories to be preserved, allowing DPNs to be issued quickly and consistently;
• encouraging coroners to clearly describe the scope of their requests (e.g. types of content, metadata, search activity);
• meeting with coroners before issuing CINs to clarify expectations and reduce ambiguity; and
• sharing service provider responses to draft CINs directly with coroners.

What should you be doing?

 For businesses in the tech, media, or digital services sectors, now is the time to:

• review your data retention and preservation protocols;
• assess whether your systems can comply with DPNs quickly and reliably; and/or
• consider whether you wish to respond to the consultation (directly or via industry bodies).

Our team

The collaboration between Ofcom and coroners is expected to significantly increase the number of service providers drawn into inquests, particularly where there is a suggestion that social media usage or search history is linked to a child's death. With coroners now empowered to request data preservation and access via Ofcom, service providers may face more frequent and complex requests for user data.

Fieldfisher is closely monitoring these developments and is experienced in supporting businesses to navigate coronial, regulatory and other investigations, especially where sensitive data and reputational risks are involved. If you find yourself facing an issue which may be subject to scrutiny in an inquest or are considering what steps need to be taken to prepare for any potential DPN, please contact our specialists Oliver Carlyon, Frankie Everitt and Olivia Anness. For further information, see Inquiries, Inquests and Investigations.