I'm mostly thinking about the arbitrator scenario, or key escrow for each report.
Your current scheme suffers from the fact that once the report has been generated, the only person that can verify that a given document is the same as the submitted report is the vendor - who may not be inclined to cooperate.
It's admittedly a little far-fetched, but if there is a dispute as to the contents of the report and the vendor refuses to disclose the secret key, it ends up being the vendor's word against that of the researcher.
This can be solved by keeping the random key around or by sending it to multiple recipients. Or both. Your current strategy of immediately deleting it is pointless while the original plain-text report still exists but leads to the conundrum above.
Your current scheme suffers from the fact that once the report has been generated, the only person that can verify that a given document is the same as the submitted report is the vendor - who may not be inclined to cooperate.
It's admittedly a little far-fetched, but if there is a dispute as to the contents of the report and the vendor refuses to disclose the secret key, it ends up being the vendor's word against that of the researcher.
This can be solved by keeping the random key around or by sending it to multiple recipients. Or both. Your current strategy of immediately deleting it is pointless while the original plain-text report still exists but leads to the conundrum above.