
Ethics of Interview Transcription: Core Obligations
Summarize this article with:
The Core Obligations
Researchers who record and transcribe interviews hold private disclosures in documentary form. The ethical obligations that attach to those documents are not satisfied by getting consent to record. They extend to how transcripts are processed, stored, shared, anonymized, and eventually destroyed. IRBs, participants, and data-protection frameworks each ask questions in this space. This guide maps the practical answers.
The five obligations that recur across IRB guidance, the US Common Rule, and GDPR are: consent that actually covers transcription and third-party processing; honest anonymization rather than cosmetic name-swapping; disclosure of cloud processing in your consent form and protocol; a concrete retention-and-deletion schedule; and a decision about whether to offer participants transcript review.
What Consent Must Actually Cover
The US Common Rule (45 CFR 46.116) requires that informed consent include "a statement describing the extent, if any, to which confidentiality of records identifying the subject will be maintained." That phrase carries more weight than it looks. A consent form that says "your interview will be recorded" but says nothing about transcription, cloud tools, or data-handling does not satisfy the spirit of that requirement.
IRB offices at multiple US universities now treat AI transcription tools as a separate disclosure item. Penn State's IRB Guideline XI requires that consent documentation address how recordings "will be stored, secured, used, transferred, and destroyed." Columbia University's IRB has stated explicitly that when a cloud transcription service processes participant audio, the specific tool and its privacy policy should appear in the consent form and the research protocol.
Practically, this means your consent form needs three things beyond "you will be recorded":
- A statement that the recording will be transcribed (by you, by a human transcriptionist, or by an AI service).
- If AI transcription is used, the name of the service category and a plain-language description of what the service does with audio.
- A statement of how long the recording will be retained and when it will be deleted.
For participants who did not agree to third-party processing of their voice data, the only defensible path is to keep transcription in-house. Local Whisper deployments or encrypted laptop-based tools let you transcribe without routing audio through external cloud infrastructure.
For research involving identifiable health information, a Business Associate Agreement (BAA) with any audio-processing vendor is a legal requirement under HIPAA before the audio can be transmitted or stored by that vendor.

Anonymization vs. Pseudonymization: The Distinction That Matters
The most widespread error in research transcription is calling pseudonymized data anonymous. The EDPB's 2025 guidelines (EDPB Guidelines 04/2025) formalize what GDPR Recital 26 has always implied: truly anonymous data is outside the scope of data-protection law entirely. Pseudonymized data is not.
Data is pseudonymized when identifiers are replaced but the replacement can, in principle, be reversed. A transcript that uses "Participant 4" instead of a participant's name is pseudonymized, not anonymous, because your mapping key links the code back to the person. That transcript is still personal data under GDPR and UK GDPR. It remains subject to lawful-basis requirements, access rights, and deletion obligations.
Data is genuinely anonymous only when the EDPB's three cumulative tests are passed:
- You cannot single out an individual from the dataset.
- You cannot link records of the same person across datasets.
- You cannot infer attributes about an individual from remaining data values.
For qualitative research, passing all three tests is rare. Quotations carry voice patterns, vocabulary, professional context, and situational detail that often survives name removal. The honest classification for most research transcripts is pseudonymized.
The practical consequence: operate your transcripts as personal data until you have a documented rationale for a stronger claim. Apply your institution's data-classification rules to pseudonymized transcripts, not to "de-identified" materials.
How to Pseudonymize a Transcript Properly
The UK Data Service recommends planning pseudonymization at the point of initial transcription rather than as a retrospective task. Their guidance specifies that direct identifiers (names, contact details) and indirect identifiers (specific places, dates, and role combinations that narrow identification) should both be addressed.
A working system:
- Replace each participant's name with a consistent pseudonym or alphanumeric code.
- Replace names of third parties the participant mentions (colleagues, family members, locations).
- Aggregate or paraphrase identifying contextual details: "[city in the northern region]" rather than a named town; "[a public-sector employer]" rather than a specific agency.
- Keep a separate, access-controlled mapping key that links codes to real identities.
- Log every replacement in an anonymization log stored separately from the transcript file.
The UK Data Service warns against both over-anonymization (stripping context that carries analytical meaning) and under-anonymization (leaving combinations of details that identify someone even after names are removed).
For research published in reports or papers, use the same pseudonyms consistently so that a reader following across multiple extracts does not inadvertently learn more about a participant through accumulation.
Cloud Processing: What to Disclose and When to Avoid It
Every cloud transcription service that processes your audio is a data processor under GDPR, and a business associate under HIPAA if PHI is involved. That is a legal relationship requiring documentation, not just a vendor you hope behaves well.
Before uploading interview audio to any cloud service, verify three things:
- How long does the service retain audio after the transcript is returned?
- Does the service use audio to train or improve its models? Is there an opt-out?
- Does the service offer a Data Processing Agreement (DPA) or, for health research, a signed BAA?
These questions belong in your research protocol. IRBs are increasingly asking them. Several US university IRBs have begun treating cloud transcription services as engaged parties in the research if they receive participant audio, which can trigger IRB review of the tool itself.
For interviews involving sensitive topics (trauma, stigmatized health conditions, immigration status, whistleblowing within a workplace) the conservative default is local processing. Open-source tools like OpenAI's Whisper run on a laptop with no network access during transcription.
For research where the subject matter is not sensitive and participants have consented to cloud processing with clear disclosure, services that offer a DPA and explicit no-training opt-out are the middle path between local processing and uncontrolled cloud routing.
If you just need accurate transcripts for non-sensitive interviews where participants have consented to online processing, ConvertAudioToText's audio-to-text tool uses AssemblyAI's processing infrastructure with a documented retention policy. Read that policy before uploading research audio.
Retention and Deletion: Build a Schedule Before You Collect
Many researchers handle this backwards. They collect, transcribe, analyze, publish, and then wonder what to do with files they have now held for two years. The deletion decision should be made before data collection starts and documented in the IRB protocol.
A working retention framework separates audio from transcripts by risk level.
Audio recordings carry the highest re-identification risk. Voices are biometric. If audio is retained after transcription, a subsequent data breach or court order could expose a participant's identity even from a pseudonymized study. Most IRB guidance recommends deleting audio once you have verified the transcript is complete and accurate. Several IRB protocols state a specific window: 24-to-48 hours after verification.
Pseudonymized transcripts carry lower risk and higher analytical value. They are typically retained through the study's analysis phase and, for thesis or dissertation research, through the examination period. Federal sponsors often require a minimum of three years post-publication. The specific timeline belongs in your protocol.
The mapping key (the file linking codes to real names) is the highest-risk item in your archive. It should be stored on access-controlled, encrypted institutional storage. When you delete it, participant data in the transcript becomes effectively anonymous for practical purposes, though the transcript itself may still carry residual identifiers.
Build two calendar events when you start a study: one for audio deletion and one for mapping-key deletion. Link them to the study closure milestones in your protocol. IRB annual reviews are a natural checkpoint.
For the data-handling obligations this connects to, see hidden costs of transcription services and transcription for qualitative research.
Participant Transcript Review: What It Is and When to Offer It
Member checking (also called respondent validation or participant transcript review) is a credibility strategy in which the researcher returns data or findings to participants for review. Lincoln and Guba (1985) described it as "the most critical technique for establishing credibility" in qualitative research.
At the transcript level, the simplest form is sending participants a copy of their interview transcript and asking them to review it for accuracy. At the findings level, Birt and colleagues (2016) proposed synthesized member checking, in which you share your analytic findings rather than raw transcripts and ask whether the interpretation resonates.
Transcript-level review and findings-level review serve different purposes. Transcript review addresses factual accuracy and participant comfort with the record. Findings review addresses interpretive validity. Neither is mandatory, but both are ethically transparent, and some research frameworks (particularly those with a participatory design) treat them as obligations.
Practical considerations before you offer transcript review:
- Participants who see their transcript often want to change, add, or withdraw portions. Decide in advance how you will handle these requests and describe that decision in your protocol.
- Sending transcripts creates a new handling obligation. The email or file-transfer mechanism must be secure.
- Some participants find reading their own speech in text form distressing, particularly if the interview covered trauma. Offer the option without implying it is required.
- Transcript review reopens the interview relationship. For vulnerable populations, consider whether that re-engagement is appropriate.
My take: for most interview studies, offering transcript review is good practice and low cost. Participants who feel they can correct the record are more likely to speak candidly in the first place. The administrative overhead is manageable if you build a simple correction-request form and a documented response protocol before you start.
For more on the interview-to-analysis workflow that this feeds into, see coding qualitative interviews and thematic analysis from transcripts.
A Pre-Analysis Ethics Checklist
Before you move a research transcript into analysis, confirm each item:
- Consent covered transcription, the method used (human/AI/cloud), and data retention.
- Audio has been deleted or a deletion date is calendared.
- Transcript is pseudonymized with an anonymization log.
- Mapping key is on access-controlled encrypted storage.
- Any cloud-service DPA or BAA is signed and on file.
- Participant transcript review was offered or a documented rationale for not offering it exists.
Six items. Running through them takes under five minutes and produces a paper trail that satisfies IRB review and, if you work in GDPR territory, supports your accountability obligation under Article 5(2).
Frequently Asked Questions
How to Pseudonymize a Transcript Properly
The UK Data Service recommends planning pseudonymization at the point of initial transcription. Replace direct identifiers (names, contact details) and indirect identifiers (specific places, dates, role combinations) systematically. Use a consistent pseudonym or code for each participant, keep a separate access-controlled mapping key, and log every replacement in an anonymization log stored apart from the transcript file. Aggregate contextual details that could narrow identification even without a name present.
Does my IRB consent form need to mention the specific AI tool I use for transcription?
IRB practice varies by institution, but multiple university IRBs (including Columbia and Penn State) now recommend or require naming the category of transcription service and describing what it does with audio in both the consent form and the study protocol. Consenting participants to "audio recording" without mentioning third-party AI processing is increasingly considered insufficient disclosure, particularly for sensitive research topics. When in doubt, ask your IRB coordinator before data collection starts rather than after.
What is the difference between anonymization and pseudonymization for research transcripts?
Under GDPR and UK GDPR (and consistent with EDPB Guidelines 04/2025), anonymized data is outside the scope of data protection law entirely because no individual can be identified from it. Pseudonymized data replaces direct identifiers with codes but retains a mapping key, meaning the data can in principle be re-linked to a person. Most research transcripts are pseudonymized, not anonymous, and should be treated as personal data with all the rights and obligations that entails.
How long should I keep audio recordings and transcripts after a study closes?
Audio recordings should generally be deleted once you have verified the transcript is complete and accurate. Many IRB protocols specify a window of 24-to-48 hours post-verification. Pseudonymized transcripts typically need to be kept through the analysis and publication phase; federal sponsors often require a minimum of three years post-publication. The specific timeline should appear in your IRB protocol before data collection begins. Your mapping key should be deleted as soon as its research purpose is served.
Do I need a Business Associate Agreement with a transcription service if my research involves health-related interviews?
If your research involves Protected Health Information (PHI) as defined under HIPAA, any vendor that processes, stores, or transmits that audio is a Business Associate and must sign a BAA before any audio is transmitted. This applies to AI transcription services that process participant audio in the cloud. Uploading PHI to a vendor without a BAA is a HIPAA violation regardless of the research context. For research that does not involve PHI but involves sensitive health topics, the BAA obligation may not apply legally, but the ethical case for equivalent contractual protections is strong.
Is offering participants transcript review mandatory?
No universal regulatory requirement mandates transcript review in qualitative research. What varies is the ethical expectation within specific methodological frameworks. Participatory action research treats participant input into the record as a core principle. Thematic analysis (Braun and Clarke) and grounded theory approaches treat credibility strategies like member checking as optional but valuable. The decision should be documented in your protocol either way: offer it with a process for handling requested changes, or document why it was not appropriate for your study design.
Sources
- US Common Rule, 45 CFR 46.116 (current as of June 2026): https://www.law.cornell.edu/cfr/text/45/46.116
- Penn State IRB Guideline XI: https://researchsupport.psu.edu/orp/irb/irb-resources-training-and-events/irb-guidelines/irb-guideline-xi-research-involving-audio-video-or-digital-recordings-of-research-participants/
- Columbia University IRB Blog, Audio and Video Recording in Remote Research (2022): https://www.tc.columbia.edu/institutional-review-board/irb-blog/2022/audio-and-video-recording-in-remote-research/
- EDPB Guidelines 04/2025 on Anonymization (via Innovires Legal): https://www.innovires.com/en/blog/edpb-anonimizacia-psevdonimizacia.html
- UK Data Service, Anonymising Qualitative Data: https://ukdataservice.ac.uk/learning-hub/research-data-management/anonymisation/anonymising-qualitative-data/
- ICO, Introduction to Anonymisation: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/data-sharing/anonymisation/introduction-to-anonymisation/
- ICO, Pseudonymisation: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/data-sharing/anonymisation/pseudonymisation/
- Lincoln, Y. S., and Guba, E. G. (1985). Naturalistic Inquiry. Sage.
- Birt, L., Scott, S., Cavers, D., Campbell, C., and Walter, F. (2016). Member Checking: A Tool to Enhance Trustworthiness or Merely a Nod to Validation? Qualitative Health Research, 26(13).
- HHS HIPAA BAA guidance: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-audio-telehealth/index.html
Try transcription free
Convert any audio or video to clean, unwatermarked text — speaker labels, timestamps, and AI summaries included. First 30 minutes free, no account.
Related Articles

Fact-Checking From Transcripts: A Practical Workflow (2026)
How journalists and researchers fact-check from interview transcripts. Covers claim extraction, timestamp citation, ASR homophone errors, and audio verification workflow.

How to Extract Quotes from an Interview Recording
A workflow-led guide for journalists and writers: how to extract publishable quotes from interview transcripts, with editing ethics, context rules, and approval flows.