AI transcription tools: a time-saver or security risk?

Automated transcription tools are increasingly used to convert audio from meetings and interviews into text. While they are convenient, tools such as otter.ai and MeetGeek introduce significant risks, especially when personal or sensitive data is involved.

You may not realise that these tools are often powered by AI and operated by third-party providers, many of which are based outside the UK or EU. This means they may not meet the data protection standards required under UK GDPR. 

Members of the University should primarily use the transcription features already available in both Microsoft Word and Microsoft Teams. This also includes transcription in shared meeting spaces with Teams room devices. Instructions are available on the IT Services website.

Key risks when using other transcription tools

  • Loss of control over data: Some transcription services act as data controllers, meaning once you upload a recording, they decide what else they want to use it for and how it is stored. You may lose control over the content entirely. 
  • Lack of consent or adequate privacy notices: If meeting participants are not aware that meetings are being recorded and transcribed using AI, this could breach our obligations under UK GDPR. Such a breach may damage trust, lead to regulatory action, and result in reputational harm. 
  • International data transfers: If the service is hosted outside the UK, your data may be transferred to jurisdictions without adequate privacy protections.
  • Training AI models: Many services use uploaded audio to train their AI models, which can expose sensitive or identifiable data, potentially putting data subjects at risk. 
  • Accuracy and bias: AI transcription tools can misinterpret speech, miss context, or hallucinate (make it up) content. This is especially problematic in research or legal settings where accuracy is critical.
  • Security vulnerabilities: If the tool hasn’t gone through a software risk assessment (SRA), it may not meet University standards for secure data handling. 

Practical guidance

  • Before turning to external AI transcription tools, explore what’s possible within Microsoft 365. 
  • Avoid uploading recordings with personal, sensitive, or confidential information to unvetted platforms. 
  • Transcription uses automated speech recognition, which can occasionally misinterpret words, names or technical terms. Transcripts should not be relied upon as a completely accurate record and should be reviewed carefully if they are being used for formal or detailed reference. 

Please contact the Information Governance team if you're unsure whether a tool is appropriate for the data you are working with.