More and more organisations are outsourcing transcription for investigative interviews. But how do you make sure your sensitive, confidential data is captured, shared, and stored securely? Two security standards, ISO27001 and CyberEssentials, can provide reassurance.
Investigative interviews come in all shapes and sizes.
You might be a regulator running an inquiry into bribery and corruption, or a local authority looking at council tax, benefits or pensions fraud.
Maybe you’re working in an overstretched police force, always under pressure to do “more for less”. Or perhaps you’re an HR professional, holding interviews as part of employment disputes, disciplinary hearings or appeals.
Whatever the scenario, having an accurate written record of your interviews is essential, whether it’s part of the official record or just background information.
More and more organisations are outsourcing transcription, whether that’s verbatim, intelligent verbatim, note taking, summaries or language services. But for investigative interviews, there’s a catch.
Interviews like this can be sensitive, dealing with confidential or contentious issues. And new GDPR rules mean you need to take even more care when capturing, moving, and storing data. The reputational risks are considerable if something goes wrong.
So how do you make sure your information is safe when you’re not in control of your external partner’s data management systems and processes?
Among the quality standards dealing specifically with cyber security, two are worth looking out for. Whilst some charter marks and accreditation schemes are just about “box ticking”, ISO270001 and CyberEssentials are different.
ISO27001 is an internationally recognised standard for handling data. It covers strategy, policy and procedures across all the legal, physical and technical aspects of an organisation’s information management. Appen has been accredited to ISO27001 since 2012.
To qualify, an organisation must:
- Identify IT risks
- Assess the implications of those risks
- Put in place systems to limit the potential damage
It’s a demanding standard, assessed by an external auditor. There must be a commitment from the top down, and it must be implemented by people with the right skills, so training is key.
Once accredited, an organisation must work hard to retain ISO27001 status, demonstrating continuous improvement.
It’s worth it though; the evidence shows ISO27001 reduces the number and severity of security incidents and keeps IT systems and processes controlled and well-managed. Most of all, it shows that keeping information safe is a priority.
The other data management standard to look for is CyberEssentials (CE). It’s a simpler, more practical process, although still rigorous and well worthwhile for organisations that need to maintain a secure digital environment.
Overseen by the National Cyber Security Centre (NCSC), part of GCHQ, CE is specified for all UK Government contracts that involve handling sensitive or personal data. Appen’s been CE accredited since 2016.
The standard is a comprehensive look at all aspects of IT. Applicants must ask themselves:
- Are our firewalls secure and fit for purpose?
- Are our security settings the right ones?
- Who can access what data?
- Is our malware and virus protection adequate?
- What arrangements are there for keeping devices/software up to date?
An external auditor examines the self-assessment and decides whether to award the CE mark. Like ISO27001, organisations must reapply regularly.
Even if, like Appen, your chosen provider is accredited to ISO27001 and CE, you can still dig deeper. Why not ask what issues, if any, the external auditors found, how many incidents, if any, there’ve been, and what specific measures are in place to retain the accreditation?
If information security is important to you, don’t just cross your fingers when outsourcing transcription. When you’re agreeing a contract, demand ISO27001 and CyberEssentials compliance. They’re more than logos; they’re an assurance that an organisation is committed to identifying and preventing risks. These information security standards set the bar high, and it takes constant review, challenge and action to get and keep them.