All services are not equal

 

Summarised version

Only through a mix of careful planning, execution and monitoring can confidentiality can be maintained. It requires a blend of technological expertise, behavioral enforcement, legal contracts and understanding of internet jurisdiction. Sadly many Australian transcription companies fall short of this.

 

Confidentially is of the utmost importance, there are so many things that can compromise confidentiality that it would take volumes to cover them all, suffice to say good intentions don't mean much. All transcription providers state they are secure yet few reflect it in their infrastructure and behaviour. For confidentiality and security to be effective there must be excellent protective measures, both technically and in policy. Furthermore, it has to be understood and valued so that there is a consistent mindset of appreciating security over convenience. Let me clarify this further by highlighting some of the ways we have observed our competitors falling short, either through naivety or a lack of genuine concern.

Inadequate contracts and policies

We know that from our previous experience with other transcription providers, and those of some of our transcriptionists, that it is sadly not uncommon for a new transcriptionist to be hired in a busy period and be put immediately to work despite there being no induction process, required policy reading or sometimes not even a signed contract. This unfortunately leaves clients of that business unwittingly exposed to a higher chance of having their material handled insecurely or inappropriately. It's crucial that before any work is undertaken that each member of the team is explicitly aware of the requirements of their conduct and correct practices of accessing, storing and when work is completed, destroying client information. The understanding of this expectation should then be demonstrated by signing a contract stating this requirement. Doing this reduces the risk of negligent errors and leaves room for legal remedy should it be required. If you would like to view our Privacy and Confidentiality Policy please contact us and we will be happy to provide you with a copy.

No or unenforced encryption

I can't tell you the number of times I've looked at a competitor's client login page and found it is either unencrypted or unenforced. When you upload, download, read or write any information to a website, that communication usually passes through many computers during the process. Secure Sockets Layer (SSL) is the first defense against malicious practices like eavesdropping, password interception and it is the universal technology that makes things like secure credit-card internet use possible. The 's' in https:// indicates a secure port is being used, the standard acceptable encryption level is currently 2048 bits. To check if it's also enforced just try and remove the 's' and see what happens. For example, go to OutScribe's client login page https://secure.outscribe.com.au, now remove the 's' and try to reload the page. You will see that you are automatically put back to the secured connection. Technically this is quite a basic principle, yet many providers don't deem it important enough to worry about.

Emailing of documents

OutScribe will never email you transcribed files. This is our policy because the standard internet email system is very insecure and while there are ways to encrypt emails it is not something clients generally want to set up. However, this doesn't mean we don't use email at all. Our system will send you an automated email the instant your transcription is ready with a direct secure download link. This is the best of both worlds; fast communication and simple but safe file handling. We also have created a safe and intuitive area where we can exchange any sort of file with the client, which is aptly named your "File Exchange" area.

Involvement of non-Australian residing staff / subcontractors

Outsourcing work overseas is rife in most sectors and the transcription industry is no exception. We usually get several emails a week from overseas transcription companies in places like China, India, Pakistan and Indonesia. Some of them will even have offices in the US or UK for appearances but still send their work abroad. Each tell us they can perform the transcription on our behalf for a fraction of the cost of us doing it locally, and they're right, some are ridiculously cheap. The temptation for larger profits and a "stronger" competitive edge is simply too irresistible for many Australian transcription companies. Naturally this practice introduces inherent quality issues, however that is not the focus here, the focus is that your sensitive data is now in the hands of an overseas organisation. These companies may or may not have quality standards of confidentially and secure file handling; they may or may not be ethical in the use of the transcribed information but one thing is certain, they do not have to abide by Australian law and should anything unethical happen legal action against the subcontractor would be near impossible. When clarifying this point with a company it's better to ask if they use any non Australian resident staff because even those companies that do outsource still use Australian staff (just not for everything).

Cloud or overseas web hosting is used

While the term "Cloud" computing can be vague and indicate various things it's certainly become a fashionable term. The term is generally used to indicate a distributed system where one website could be served from a range of servers located around the world for superior speed, like Amazon S3 for example. Discussed in many places around the web is the problem of legal jurisdiction. Australian law can not be used to protect overseas servers and the information they hold which makes most "cloud" solutions undesirable for sensitive data.

Since Australia is geographically remote and an island it has made our computer connectivity to the rest of the world more expensive. Subsequently, hosting websites and online services is vastly cheaper in places like America and Europe. Again, however, using overseas hosting is to sacrifice Australian legal protection. Similar to staffing issues, it's best to ask a company if your work ever leaves Australia, either because an overseas subcontractor has downloaded a copy to work on or because they host their website overseas.

File storage and retention

At times some clients want to retain some or all their transcripts within their OutScribe WorkSpace, perhaps indefinitely or whilst on holidays. Our system delivers this in the Transcript Repository service. However, many of our clients conduct very sensitive interviews where they are contractually bound to ensure control of copies and total erasure within certain time-frames. People often innocently assume that when a transcription company completes the work they have destroyed all copies of their audio and completed transcript files, but this is not necessarily so. I'll explain why. To exchange and move files around the internet transcription companies use either their own file transfer systems or a 3rd party service like Dropbox. Either system has its pros and cons, so let's consider each in turn.

3rd Party File Transfer / Storage

Whilst popular for their ease of use and convenience 3rd party file transfer services like Dropbox means that the files are more than likely no longer under Australian jurisdiction and also now in the control of foreign companies who themselves are subject to many unsavoury influences. For example, Dropbox currently is unable to discuss how they comply with America's spy agency, the NSA, due to a gag order. Also, recently tens of thousands of users who stored their files with the popular Megaupload service were shocked when the FBI shutdown all 600 of Megauploads servers. All the users' files were then later deleted without warning and users were given no opportunity to obtain copies. Even SkyDrive (Microsoft) and iCloud (Apple) are not immune. Edward Snowden's leaks reveal that NSA are given pre-encryption access to services like Outlook.com and Skype sessions. Even companies like Google and Yahoo are forced to be a part of NSA's Prism and are held under gag orders. In short, things become very uncertain when you rely on external systems, particularly overseas ones. These direct factors aside, when transcription companies use these 3rd party services they have little to no ability to know what really goes on, when system level backups occurs, where these backups are held and for how long.

Own file transfer software

For the companies who do understand the value of controlling their file transfer systems there remains the issue of server backups. Server backups will hold all files held on the server. This includes your audio and transcription documents and by default they will remain in the server backups even after the transcription company has deleted copies off their management system. There's the catch. As most transcription companies don't own nor maintain their own servers directly but pay a hosting service to manage things, they are detached from the server level environment. They are probably unaware if or when server level backups occur, what is included or excluded from this backup, where and how many copies or direct mirrors of the backups are held, how long the retention periods are and who has access to these backups.

The good news is OutScribe know the answer to all these questions. We have invested our time and resources into this frequently neglected area because we understand the possible implications and ramifications of not caring. It scares us and it should scare you too.