Data protection in professional transcription: what your provider should offer and how to check it

When an organisation sends a recording to a transcription service, it is not simply outsourcing a task. It is transferring a data file that may contain personal information, sensitive personal information, or special category data under UK GDPR to a third-party processor. The legal and professional responsibilities that attach to that data do not transfer with it. They remain with the organisation that owns the recording.

Understanding how your transcription provider handles data - and what questions to ask before you send your first file - is not just a compliance formality, it is a professional obligation.

How UK GDPR applies to recordings and transcripts

The UK General Data Protection Regulation classifies personal data as any information relating to an identified or identifiable natural person. An audio recording of a conversation between named individuals is personal data. A written transcript of that conversation is also personal data.

Special category data - a category that carries significantly stricter handling obligations - includes information about health, racial or ethnic origin, political opinions, religious beliefs, trade union membership, sexual orientation, and biometric data. It also includes data relating to criminal offences and proceedings.

An HR disciplinary recording, a medical consultation, a legal interview, or a grievance hearing is very likely to contain special category data. Sending that recording to a transcription service that processes it through an AI platform, stores it on third-party servers, or retains it under unclear deletion policies creates a compliance risk for the organisation that sent it.

Questions to ask any transcription service

Before committing your recordings to a transcription provider, the following questions should have clear, documented answers.

1. How is the recording transferred? A secure, encrypted file transfer method is the minimum standard. Email attachment is not.

2. Who has access to the recording? For a human transcription service, this means the individual typist assigned to the work and, if applicable, a quality reviewer. Nobody else should have access.

3. Is the recording processed through any AI system, third-party platform, or cloud storage? If the answer is yes, the data handling question becomes significantly more complex and may create a GDPR compliance issue depending on the nature of the recording.

4. What are the retention and deletion terms? When is the recording deleted after transcription is complete? Is deletion automatic, or does it require a request? Is a certificate of deletion available if required?

5. Is a data processing agreement available? Any organisation that sends recordings to a third-party processor for the purpose of transcription should have a data processing agreement in place. If the provider does not offer one or is unfamiliar with the requirement, that is a significant warning sign.

   
   

Why AI platforms create a specific compliance risk

When audio is uploaded to an AI transcription platform, the terms of service typically grant the platform provider rights to process, store, and in some cases use that audio for purposes including improving the AI model. The audio is being processed on servers that may be located outside the UK, under the platform provider's data governance rather than the client organisation's.

For recordings that contain personal data - which most professional recordings do - this raises questions about lawful basis, data minimisation, and third-party transfer obligations under UK GDPR. For recordings that contain special category data, the compliance requirements are even more demanding.

Human transcription services with clear data handling policies do not create these risks because the audio is never submitted to an AI platform. It is processed by a vetted individual under explicit confidentiality and data protection terms.

How OutSec Media handles data

OutSec Media processes all recordings through vetted human transcriptionists only. No audio is submitted to AI platforms or third-party processing systems. Recordings are transferred via our secure FileManager document handling system and are deleted from our systems after our standard time period, unless a specific arrangement is agreed in writing.

We operate under UK GDPR compliance and can provide a data processing agreement for any client that requires one. Our confidentiality obligations are explicit, documented, and applied consistently to every recording we handle.

If your organisation needs to review its transcription data handling practices, or if you want to discuss our approach in detail, contact OutSec Media at outsecmedia.co.uk.