Guidance on AI Transcription and Client Privacy: Protecting Personal Information in the Digital Age

scope of this guidance this guidance is specifically focused on the privacy and security of client information when using ai transcription tools in veterinary practice it is not intended to provide advice or recommendations regarding the accuracy, reliability, or clinical appropriateness of ai generated transcripts, nor does it address broader ethical considerations or the risks of errors, hallucinations, or misinterpretations that may arise from the use of artificial intelligence users should seek separate guidance for those aspects 1\ introduction your continuing obligation to client privacy as registered veterinarians, your professional and legal responsibilities extend beyond the clinical care of animals you act as custodians of personal information (pi) belonging to your clients, which includes data collected during consultations, procedures, and administrative tasks this information, such as names, addresses, contact details, and records of client veterinarian communications, is subject to the new zealand privacy act 2020 this act, along with the foundational information privacy principles (ipps), requires you to take reasonable steps to protect that data from loss, unauthorised access, or misuse digital tools, including artificial intelligence (ai) transcription services, offer significant efficiency benefits in documentation however, introducing a new third party into your information chain creates new privacy risks that require careful management and due diligence this guidance is intended to help you navigate those risks responsibly 2\ understanding the privacy risks of digital transcription when you use an ai transcription tool, you are effectively transferring raw, sensitive client data (the audio of your consultation) to an external technology provider for processing the following risks require your immediate consideration a third party control and data use under the privacy act, when you pass client pi to a service provider for processing, the information is deemed to be held by both you (the agency) and the provider (the agent) you remain legally accountable for how that provider manages the data ● risk many generic ai platforms use the data they process (your consultation audio and the resulting text) to train and improve their models this means sensitive client and animal information could be permanently ingested into a commercial ai system without your client’s explicit knowledge or consent this is a potential breach of ipp 10 (limits on use) ● risk if the transcription service is based outside new zealand, the data is subject to the privacy laws of that overseas jurisdiction, increasing the risk of unauthorised disclosure or government access ( ipp 12 – disclosure outside new zealand ) b security and storage vulnerabilities transferring data over the internet and storing it on a third party server exposes it to a greater risk of cyber attack or data breach ● risk if the platform uses weak encryption or fails to limit access, a data breach could lead to the unauthorised disclosure of client identities linked to specific veterinary histories, damaging client trust and potentially incurring a serious harm notification requirement under the act 3\ mandatory requirement for client consent and transparency the use of an ai transcription tool is a material change in how you collect and process personal information to comply with ipp 3 (collection of personal information from the individual concerned) , you must ensure the client is fully aware of this change the principle of informed consent before recording and processing a consultation via an ai transcription service, the veterinarian should 1 inform the client clearly explain that an ai service will be recording the conversation to generate a transcript for the clinical record 2 state the purpose explain that the sole purpose of the transcription is clinical documentation for their animal and that the transcript will be securely imported into the clinic’s record system 3 identify the recipient (the service) while you do not need to name the specific software, you must inform them that a third party technology provider will be processing the audio data 4 provide the option to decline crucially, the client must be given a clear option to decline the use of the ai transcription tool if a client declines, you must stop the recording immediately and use traditional note taking methods the client’s decision to decline must not prejudice their animal's care guidance note we strongly recommend obtaining this consent in both a verbal format at the start of the consultation and documented via a signed consent form or a clear notation in the clinical record at a minimum, we recommend that the client be made aware of the use of ai transcription tools via email and/or posters in the reception areas of clinics 4\ security checklist selecting a responsible ai tool before contracting with any ai transcription provider, you must undertake due diligence to ensure the service meets the security standards required by ipp 5 (storage and security of personal information) we recommend evaluating potential providers against the following key security and contractual criteria feature requirement and rationale contractual guarantee (no training) the provider must contractually guarantee that your uploaded audio files and resulting transcripts will not be used for model training, product development, or any other purpose beyond generating your specific transcript data encryption the tool must employ strong, industry standard encryption (e g , aes 256) for data both in transit (when audio is sent and transcript is received) and at rest (when data is stored on their servers) access controls & authentication the service should support multi factor authentication (mfa) for all user accounts furthermore, it should use role based access controls (rbac) to ensure that only the clinician or specific administrative staff can access the client’s records data residency clarify the physical location (jurisdiction) where the data is hosted preference should always be given to providers who host data within new zealand or another country with equivalent privacy protections data retention and disposal the provider must have a clear policy on how long they retain the audio and text files and guarantee secure and verifiable deletion of data after the transcript is delivered and imported into your system audit trails the system must maintain comprehensive, immutable (unchangeable) logs detailing who accessed the data, when, and what actions were performed these logs are vital for investigating security incidents security certifications look for independent external validation, such as iso 27001 certification (information security management system), which demonstrates a commitment to robust security practices 5\ summary of regulatory expectation adopting new technology requires corresponding diligence in managing privacy risks the vet council's expectation is that veterinarians integrate "privacy by design" principles into their selection and usage of ai transcription tools this means 1 transparency being upfront with clients about the technology being used 2 choice ensuring clients have a non prejudicial option to decline 3 security selecting a tool based on robust, verified security measures, especially contractual clauses limiting the third party provider’s use of your client’s information by taking these steps, you safeguard the personal information entrusted to you and maintain the high level of trust vital to the veterinary profession in aotearoa new zealand this guidance is informed by the privacy by design (pbd) methodology, as set out by the new zealand digital government practitioners are encouraged to review the official pbd principles and apply them when selecting and using ai transcription tools see privacy by design (pbd) – nz digital government \[i] transparency statement this technical advice has been prepared with the assistance of artificial intelligence (ai) tools to support the drafting and refinement of content the ai was used to enhance clarity, consistency, and efficiency in the development process all information presented has been reviewed, edited and approved by the veterinary council of new zealand staff to ensure it meets professional standards, reflects current veterinary practice, and aligns with regulatory requirements