TL;DR ⏩
- Recording interviews doesn't automatically trigger full board review under US IRB requirements; topic sensitivity and participant risk drive the review level
- Disclose any transcription provider, including AI tools, and document their security, retention, data residency, and confidentiality practices
- US IRBs expect specific details about storage, access controls, retention periods, and data destruction, not general promises to keep data secure
When a study involves audio recording, institutional review boards (IRBs) require explicit informed consent before any recording begins.
They also need a detailed description of the transcription plan in the protocol and a confidentiality agreement with any third party that processes the recordings.
Researchers in the US must also document how recordings will be stored, how long they will be retained, and exactly how they will be destroyed.
These requirements apply regardless of whether the researcher transcribes the recordings personally or uses an external service.
Qualitative researchers record interviews, focus groups, and oral histories because the spoken word carries information that field notes cannot fully capture: tone, hesitation, correction, and the precise phrasing a participant reaches for under pressure.
But audio recordings are identifiable data. A participant's voice is a biometric identifier in a way that a pseudonymized survey response is not, and IRBs treat recordings accordingly.
Understanding what the board actually reviews, and what it expects to see in your protocol, makes the difference between smooth approval and a round of stipulations that delays your data collection by weeks.
This article is intended for informational purposes and does not constitute legal advice. Researchers with questions about specific jurisdiction requirements should consult their institutional research ethics office and, where necessary, a qualified legal professional.
What IRBs evaluate when a study involves audio recording
The governing framework for human subjects research in the United States is the Federal Policy for the Protection of Human Subjects, commonly called the Common Rule, codified at 45 CFR 46.
Its foundations derive from the three principles of the Belmont Report: respect for persons, beneficence, and justice.
How the Belmont principles apply to recording
Respect for persons requires that participants know they will be recorded and freely consent, with the ability to decline to be recorded without losing the right to participate.
Beneficence requires that the researcher minimize risks from data exposure, which means recording only what is necessary and protecting recordings from unauthorized access.
Justice requires that the research doesn’t extract more from participants than the study purpose demands.
Review level and the minimum necessary standard
IRBs use these principles to determine both whether to approve recording and at what review level.
Recording alone does not trigger full board review. The sensitivity of the topic and the participant population are the determining factors.
For instance, research involving interview questions on a non-sensitive topic with a general adult population may qualify for expedited review even when recording is involved.
Whereas research involving sensitive topics (trauma, illegal activity, health conditions, stigmatized identities) or vulnerable populations may require convened board review regardless of the method.
Penn State's IRB Guideline XI provides a clear articulation of how these factors interact for recording-based studies.
Before submitting your protocol, determine whether your recording is collecting identifiable information beyond what the research purpose requires. If the goal is to capture what participants say, audio is appropriate.
But if the goal is to analyze speech patterns or nonverbal behavior, video may be necessary, but it introduces additional risks that the protocol must justify.
Informed consent for recording: What the form must include
The governing framework for human subjects research in the United States is the Federal Policy for the Protection of Human Subjects, commonly called the Common Rule, codified at 45 CFR 46. Its foundations derive from the three principles of the Belmont Report: respect for persons, beneficence, and justice.
How the Belmont principles apply to recording
Respect for persons requires that participants know they will be recorded and freely consent, with the ability to decline to be recorded without losing the right to participate.
Beneficence requires that the researcher minimize risks from data exposure, which means recording only what is necessary and protecting recordings from unauthorized access.
Justice requires that the research doesn't extract more from participants than the study purpose demands.
Review level and the minimal-risk standard
The review level isn't directly determined by the Belmont principles. It's decided by a specific legal test under 45 CFR 46.110: whether the study qualifies as minimal risk and fits one of the federal expedited review categories.
Minimal risk means the probability and magnitude of harm anticipated in the research is no greater than what participants would ordinarily encounter in daily life.
Recording does not, by itself, push a study above that threshold. What does is the topic and the population.
For instance, research involving interview questions on a non-sensitive topic with a general adult population often qualifies for expedited review, even when recording is involved.
On the other hand, sensitive topics (trauma, illegal activity, stigmatized identities) or vulnerable populations (children, prisoners, people with diminished capacity) can push a study to full board review, regardless of recording. The topic or population drives that, not the recording.
What the protocol needs to specify
Before submitting, determine whether your recording is collecting identifiable information beyond what the research purpose requires.
If the goal is to capture what participants say, audio is appropriate. But if the goal is to analyze nonverbal behavior, video may be necessary, but it introduces additional identifiable information and the protocol should justify that added risk.
Penn State's IRB Guideline XI lays out what the protocol and supporting documents need to describe for any study involving audio, video, or photography:
- What will be recorded and why
- What technology will be used and who owns the equipment
- What identifiable information will be captured
- How recordings will be stored, secured, transferred, and destroyed
- The plan for transcription or coding
What the IRB protocol must describe about your recording and transcription plan
IRBs review the full protocol narrative, not just the consent form.
The protocol must explain the entire pipeline from recording to transcript to storage to destruction, with enough specificity that the board can evaluate whether participant data is adequately protected at each stage.
Recording and access
The protocol must describe:
- What will be recorded (activities, setting)
- What identifiable information the recording will capture (voice alone, or also image and name)
- What equipment will be used and who owns it, and
- Which team members will have access
Access should be restricted to named roles: the PI and trained research staff. If a transcription service will be used, that must be stated here, along with a description of the confidentiality controls in place. Penn State's IRB Guideline XI lays out this checklist in detail.
Storage and retention
Recordings should be stored with access controls and encryption, on devices or platforms the institution has vetted rather than personal consumer accounts.
Many IRBs require IT-approved storage with access limited to the research team. Whether a specific tool like Box or Google Drive qualifies depends on your institution's data security policy.
Columbia's TC IRB, for example, directs researchers to use IT-approved software for data collection and storage, and permits institutional Google Drive specifically because access can be restricted to the research team.
The standard practice is to delete audio recordings once transcripts have been verified against them for accuracy. Audio carries more re-identification risk than a de-identified transcript, so holding it longer than necessary raises the study's risk profile.
Retention minimums can extend this timeline, though. The Common Rule itself generally expects research records to be retained for at least three years after a study closes.
Federally funded studies may carry additional sponsor-specific requirements: per the NIH Grants Policy Statement, Section 8.4.2, NIH recipients must retain grant-related records, including supporting documentation, for three years from the date the annual Federal Financial Report is submitted, and NSF requires a comparable three-year period after submission of required reports.
Many institutions apply a similar or longer window specifically to recordings as a matter of policy, sometimes extending well past three years.
Confirm the applicable retention period with your research office, and state it accurately in the consent form before any deletion occurs.
Destruction and de-identification
Destruction means secure deletion, not simply moving files to the trash. For digital files, this means using a verified secure deletion process; some institutional IRBs request documentation that destruction occurred.
Transcripts may be retained after recordings are destroyed, provided they have been adequately de-identified.
📌 Important:
Replacing participant names with pseudonyms does not by itself make a transcript de-identified.
As long as a key or master list exists linking the pseudonym back to the participant, the data remains identifiable and re-identifiable by anyone with access to that key.
This holds under the HIPAA Safe Harbor standard as well as under general IRB practice: de-identification requires that the link to the participant's identity be severed or destroyed, not just hidden behind a substitute label.
IRBs that apply HIPAA standards to research data will ask how identifiers are handled and where the linkage key is stored.
IRB protocol checklist for audio recording studies
| Protocol element | What the IRB needs to see |
|---|---|
| Recording purpose | Why recording is necessary for the research purpose |
| Identifiable information | Type of identifiers captured (voice, image, name) |
| Technology | Device type and ownership (institutional vs personal) |
| Access | Named roles with access; trained study team only |
| Third-party transcription | Service name or category, plus confidentiality agreement status |
| Storage | Platform, encryption method, access control |
| Retention | Specific timeline with federal sponsor requirements noted if applicable |
| Destruction | Secure deletion method and documentation |
| Future use | Whether recordings may be used beyond this study; IRB approval required for any such use |
For studies involving participants in EU member states, GDPR can apply even when the researcher is based outside the EU.
Where it applies, GDPR doesn't ban non-EU transcription platforms outright, but it does require a valid transfer mechanism, like Standard Contractual Clauses, and a data processing agreement with the vendor.
Consent requirements under GDPR add another layer on top of this, and worth confirming with your institution's DPO rather than assuming.
📚 Also read:
Third-party transcription services and IRB requirements
Many researchers treat a transcription service simply as a tool, something like a software feature rather than a data relationship. IRBs treat it as a third-party processor of identifiable human subjects data, which changes what the protocol must address.
The confidentiality agreement requirement
Any external transcriptionist, whether an individual hired by the researcher or a transcription company, must be disclosed in the IRB protocol and must sign a confidentiality agreement before accessing recordings.
UMBC's IRB guidance on using transcriptionists states that transcription service personnel generally do not need to complete full human subjects research training, but the confidentiality agreement must cover:
- Limits of use (transcription only, no other purpose)
- Prohibition on retaining copies of the audio after the job is complete
- Secure file transfer and return
- No subcontracting
NYU's IRB similarly requires that researchers identify any external transcriptionist in their protocol and have that person sign a confidentiality agreement before files are shared.
AI transcription services as third-party processors
When a researcher uploads a research recording to an AI transcription software, that platform becomes a third-party processor of identifiable research data.
IRBs increasingly ask the same questions about AI tools that they ask about human transcription services, with a few additions specific to automated processing.
A researcher must be able to answer these questions when proposing an AI transcription tool in an IRB protocol:
- Does the platform retain audio files after transcription is complete, and for how long?
- Is uploaded audio used to train or improve AI models?
- In which country or region does processing and storage occur (data residency)?
- What security certifications does the platform hold?
- Is there a data processing agreement or business associate agreement available for researchers who need one?
Comparing human and AI transcription under IRB review
| IRB consideration | Human transcriptionist | AI transcription service |
|---|---|---|
| Confidentiality commitment | Signed confidentiality agreement before file access | Data processing agreement or BAA with vendor |
| Data retention | Returns or deletes materials after job is complete | Verify platform retention policy explicitly |
| Training data use | Not applicable | Confirm whether audio is used for model training and what opt-out controls exist |
| Data residency | Typically the researcher's jurisdiction | Verify country of processing and storage |
| Security certification | Not typically applicable to an individual | SOC 2, ISO 27001, GDPR compliance as applicable |
Researchers who can document their transcription tool's answers before the IRB submission, rather than after a stipulation, move through review faster.
Looking for a secure transcription tool for academic research?
HappyScribe is the tool to reach for if you want to stay compliant with IRB requirements without slowing your research down. It's SOC 2 Type II certified and GDPR-compliant, with all data stored in an EU-based data center that meets Tier IV, PCI DSS, and ISO 27001 standards.
When sensitive content demands precision, human-made transcription is available, with verified accuracy reaching 99%.
Every reviewing linguist signs an NDA before accessing your files. Institutional and enterprise users can request a Data Processing Agreement (DPA) directly.
How to write the transcription plan in your IRB protocol
Treat the transcription plan with the same level of detail as the rest of your protocol. The more specific you are, the easier it is for the board to evaluate your method, including any confidentiality considerations and how you're addressing them.
What to state for each transcription method
a. For manual self-transcription: State that the PI or a named team member will transcribe the recordings personally, that audio files will be stored on an encrypted device accessible only to the research team, and that recordings will be deleted per the study's data destruction timeline after transcription is verified.
b. For a human transcription service: Name the service, or if the service has not yet been selected, describe the category (e.g., "a professional transcription service"). State that a confidentiality agreement will be executed with the service before any files are transferred, that files will be transferred via encrypted upload rather than email, and that the service will return and delete all files upon completion.
c. For an AI transcription service: Name the platform. State the data residency, the platform's security certifications, whether participant data is excluded from model training (or what opt-out controls are in place), and what human review step will be applied to the AI-generated transcript before the audio is deleted.
Language and verification
Here’s the language principle that applies across all three methods: specific and verifiable beats general and reassuring. "Files will be stored securely" gives the IRB nothing to evaluate.
"Audio files will be stored in an AES-256 encrypted institutional Box folder, accessible only to the PI and one trained RA, and deleted within 30 days of transcript verification" gives the board exactly what it needs.
Whichever transcription method the researcher uses, the protocol should ensure that transcripts are reviewed against the original recording for accuracy before the audio is deleted.
Make your transcription plan board-ready
A protocol that clearly names your transcription method, who has access, where the data is stored, and when it gets destroyed rarely comes back with stipulations.
The principle holds across every method: specificity beats reassurance. Write down the answers before the board has to ask.
If you're weighing transcription partners, HappyScribe checks the boxes IRBs ask about most, including SOC 2 Type II certification, GDPR compliance, EU data residency, and a DPA on request, so that section of your protocol is one less thing to revise.
Need something tailored to your institution's requirements? Contact sales for a plan built around your research workflow.
FAQs on IRB requirements for transcription in the US
Do I need IRB approval before recording research participants?
Yes. Recording is part of the study procedures and must be described in the IRB application and approved by the IRB before any data collection begins. Depending on the sensitivity of the topic and the population, recording-based research may qualify for exempt or expedited review. More sensitive research, involving trauma, health conditions, stigmatized identities, or legally sensitive topics, may require full board review. The review category is determined by the IRB, not the researcher.
What happens if a participant changes their mind about being recorded?
Participants can withdraw recording consent at any time, including during the session. The researcher must stop recording immediately. If the participant requests deletion of an existing recording, the researcher must comply. Once a recording has been de-identified and incorporated into analysis, full deletion may not be technically possible. The consent form must explicitly acknowledge this limitation so that participants understand it before they consent.
Can I use Zoom's built-in transcription for an IRB-approved study?
It depends on your institution's approved platforms and what your IRB protocol describes. Zoom's automatic transcription is generated by a third-party processor: Zoom itself. Researchers need to confirm that Zoom's data handling policies meet their institution's IRB and data security requirements, and the platform must be disclosed in the protocol.
Do AI transcription tools need to be listed in my IRB protocol?
Yes. Any third party that processes research recordings, including AI transcription platforms, must be disclosed in the IRB protocol. The board will assess whether the tool introduces confidentiality or data security risks beyond the original plan, particularly around data retention, training data use, and data residency. An AI tool that retains audio files or uses them for model training without an opt-out creates a risk profile the board will scrutinize.
What is a reliable transcription tool for academic research?
HappyScribe is a strong choice for academic research projects. It is SOC 2 Type II certified, GDPR-compliant, and stores data in an EU-based data center that is ISO 27001 and PCI DSS-certified.
Besides AI transcription, you can opt for human-reviewed transcripts as well, where all linguists sign NDAs before accessing files. For universities and research institutions, HappyScribe provides a Data Processing Agreement (DPA) on request, helping researchers meet common IRB and institutional data protection requirements.
Rodoshi Das
Rodoshi helps SaaS brands grow with content that converts and climbs across SERPs and LLMs. She spends her days testing tools and turns her experience into interesting narratives to help users make informed buying decisions. Off the clock, she trades dashboards for detective novels and garden therapy.