Data protection – how safe is sensitive data with a transcription service?

Many people are careless with their data in their private lives. They post holiday pictures on social media, give Google permission to access their location and use particular messenger services that sell their data.  

But what about in a professional environment? Here, people have a responsibility towards others whose data must be protected. Sensitive data – from journalistic interviews and reports, for example, or internal company meetings, official minutes, or interrogations – must not fall into the wrong hands. The question arises, therefore: How secure are transcription tools and how do these services deal with the issue of data protection? 

Historically, there have been some nasty surprises in the US in terms of the way transcription service providers handle their customers' data. Several security vulnerabilities have been discovered that users should be aware of before entrusting any service with their data. This will allow them to assess in advance whether any data leaks could end up causing problems or even posing a threat.  

For cloud-based solutions, pay attention to the location of the server and the transcription provider’s company headquarters. German data protection law is among the strictest globally. If the servers are located in Germany, you can assume they are located in a secure place. The server location is also key to user data access rights in the event that the police or other similar authorities employ surveillance measures.  

The USA differs here. The access and disclosure of any data to US authorities is stipulated in the USA PATRIOT Act – the law in force in the USA that expands the government’s access to the generation and surveillance of data – as well as the Cloud Act passed in 2018. The latter allows US authorities to access data stored outside the US by US IT companies and cloud providers. The ability to access user data is not only limited to companies based in the US, but also extends to subsidiaries and companies that use US cloud services or integrate them into their offerings. This means that European companies can be affected too if, for example, they use cloud resources of a US provider at a data centre located in Europe. From a data protection perspective, it is problematic that the provider's customers themselves have no way of objecting to the data being disclosed. 

Basically, it is not clear how often user data is or is not shared with US authorities upon request. Carefully read the privacy policies of transcription service providers. Look for sections that address data sharing with third parties and data storage. 

If you do not want to rely on external servers, some transcription service providers also offer installation on your own internal servers. This way you can be sure that your data will never leave your own network.  

In principle, it is possible for the provider to access uploaded audio recordings or generated transcripts. Reputable providers undertake not to make use of this, however. Nevertheless, providers are able to view users’ data, which can be justified by technical requirements for checking and improving services. 

It is true that data traffic is encrypted, which protects against outside access. However, in this context, whether third-party providers are involved in uploading and data processing also plays a role. This is also some providers’ practice and constitutes another potential gap in security.  

Sub-systems such as Stripe, Payment Programme or Google Analytics should not be part of the transcription service. These are services subject to US law. If the above-mentioned providers are present, any transfer of data to US authorities cannot be ruled out. 

In essence, our recommendation is – export and delete documents that have already been edited from the transcription service’s file repository. This can reduce the risk if your account is broken into as deleted files cannot be accessed. 

With cloud solutions, audio data and the transcript are stored. It is important that no unauthorised person has access to the customer section where this data is stored. To prevent external hostile attacks, users should assign a password that is as long as possible. The password’s length is more important than its complexity. Most systems can deal with 128 or even 256 characters. It makes more sense to use a password like ‘ItWasDark,theMoonShoneBrighterThanHisCar82’, therefore. And that makes more sense than a password like ‘su)NX7R_GFcjXc!@’, which you can’t remember anyway so stick under your keyboard. 

[Translate to Englisch:]

Wenn Sie sich für einen Transkriptionsdienst entscheiden und sensible Daten z.B. von vertraulichen Interviews, Videos oder Sitzungsprotokollen schützen wollen, achten Sie darauf, wo der Anbieter seinen Unternehmenssitz hat und wo seine Server stehen. Ist das in einem EU-Land wie Deutschland, ist der Datenschutz wesentlich strenger als in den USA und DSGVO-konform.