Redacting Tax Returns Before Sharing: Guide for Accountants

This article is for general informational purposes only and does not constitute legal advice. Regulatory requirements vary by jurisdiction and change over time. Consult a qualified legal professional for advice specific to your organisation's circumstances.

A client emails on a Tuesday morning. Their mortgage application is stalled. The broker needs three years of self-assessment tax returns by Friday. The client wants you to send them across. The returns contain the client's Unique Taxpayer Reference (UTR), National Insurance number, bank account details, dividend schedules from a business they no longer want the broker to know about, and health-related income protection figures from a year they'd rather not explain.

This is the scenario that lands on accountants' desks constantly - not as a hypothetical but as a Tuesday. The question is not whether to help the client. It's what leaves the file and in what form.

What counts as sensitive in a tax return

Self-assessment returns (SA100 and associated pages) are dense with personal identifiers. Some are obvious. Others are less so.

Standard identifiers that typically warrant redaction before third-party sharing:

• Unique Taxpayer Reference (UTR) - a 10-digit number permanently linked to the individual
• National Insurance number - can be used to access government benefit and employment records
• Bank account details appearing in repayment sections
• PAYE reference numbers identifying specific employers
• Income from sources the client has not chosen to disclose to this particular third party

Less obvious categories that come up in practice: rental property addresses (which can reveal asset positions the client considers private), foreign income schedules with overseas account references, and self-employment income from activities the client may not want every third party to be aware of - particularly relevant where a client runs multiple businesses.

The mortgage broker asking for the return generally needs one thing: evidence of income sufficient to support the lending decision. They do not need the UTR. They do not need the NI number. They often do not need details of income streams beyond those relevant to the application. Redacting everything beyond what the specific recipient actually needs is not just permitted - it's good data handling practice under UK GDPR's data minimisation principle (Article 5(1)(c)).

Four scenarios accountants handle regularly

Tax return shared with a mortgage broker or conveyancer

The most common scenario. The broker or conveyancer needs income verification. Before sending, redact the UTR, NI number, bank account details, and any income schedules that fall outside what the broker has asked for. If the client has rental income from ten properties but the broker only needs to see their employed income, the rental schedules can go. Keep only what directly supports the application.

One practical point: confirm with the client what the broker has actually requested. Clients sometimes assume the broker needs "the whole return." In practice, many brokers specify what they need. Get that specification in writing - it defines what you're authorising to share and protects you if questions arise later.

P60 or P11D shared with a financial adviser

P60s confirm annual earnings from an employer. P11Ds record benefits in kind. Neither document is designed for third-party sharing and neither carries obvious prompts to review its contents before forwarding. But a P60 contains the PAYE reference number, the employer's name, the NI number, and the full annual figure. A P11D can reveal company car details, private medical cover, loan arrangements, and other benefits the client may not wish to disclose to a particular adviser.

Before sharing either document, check what the financial adviser specifically needs. If they need an income figure for pension planning purposes, the NI number and PAYE reference are irrelevant to that purpose. Redact accordingly.

Full statutory accounts shared with a potential investor or lender

Full accounts prepared for a limited company or LLP can contain director remuneration details, personal guarantee information, shareholder loan balances, and sometimes addresses that directors may not want publicly associated with the business. The filed abbreviated or micro-entity accounts at Companies House are already public. The full accounts - which include detail not in the filed version - are a different matter.

Investor and lender due diligence requests frequently ask for full accounts. Before sharing, identify whether the accounts contain any personal data beyond what is commercially necessary for the diligence exercise. Director NI numbers should not appear in accounts at all - but errors happen. Check.

Payroll register shared with an external auditor

Payroll registers are among the most personally sensitive documents a firm holds on behalf of a client. They contain names, NI numbers, bank account details, salary figures, deductions (which can reveal pension contributions, attachment orders, or childcare payments), and sometimes maternity or sick pay periods that reveal health information.

External auditors typically need payroll registers to verify completeness and accuracy of payroll costs. They need the aggregate figures and the structure. They rarely need every individual's bank account number or NI number to do that work. Confirm the scope of the audit request before sharing, and redact personal identifiers that fall outside what the auditor actually needs for the audit opinion.

UK regulatory framework for accountants

HMRC data handling expectations. As of May 2026, HMRC's own Data Protection Policy sets out principles for how tax data should be handled. For accountants holding client tax data, the key point is that data obtained in a professional capacity for tax purposes is held under an implicit duty of confidentiality - independent of, but aligned with, UK GDPR obligations. Sharing client tax data with third parties without client consent, or beyond what is necessary for the client's instruction, is a breach of that duty.

ICO guidance for the accountancy sector. The Information Commissioner's Office does not publish accountancy-specific redaction guidance, but its general guidance on data sharing and data minimisation applies directly. The ICO's position is that organisations should share only the personal data that is necessary for the specific purpose. Where tax returns are shared for mortgage verification, only income data directly relevant to the application is necessary.

ICAEW and ACCA professional standards. Both the ICAEW Code of Ethics (updated 2025, effective 1 July 2025) and the ACCA Code of Ethics and Conduct impose a duty of confidentiality on members. The 2025 ICAEW update introduced a new definition of "confidential information" and an explicit duty to take active steps to preserve confidentiality throughout the data lifecycle. Sharing client data beyond what the client has authorised, or beyond what is required for a specific engagement, is a potential breach of the fundamental principle of confidentiality under both codes.

UK GDPR data minimisation applies to accountancy firms just as it applies to any other data controller. Under Article 5(1)(c), personal data must be "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed." Sharing a full, unredacted tax return with a mortgage broker when only income figures are required fails that test.

RedactProof processes documents in your browser - files never leave your device - and detects UTRs, NI numbers, bank account details, and 40+ other personal data types automatically.

Handling UTR, NI numbers, and financial identifiers

A Unique Taxpayer Reference (UTR) is a 10-digit number issued by HMRC. It is unique to an individual or entity and is used to identify them across the UK tax system. A UTR in the wrong hands is a meaningful piece of identity data - particularly when combined with a name and date of birth. Unless the recipient has a specific, legitimate reason to hold the UTR (for example, an agent submitting returns on the client's behalf), it should be redacted.

A National Insurance number (NI number or NINO) is even more sensitive. It is used to access employment records, benefit entitlements, and tax credits. Redact NI numbers from every document unless the recipient specifically needs them for a documented purpose - which, in most third-party sharing scenarios, they do not.

Bank account and sort code combinations appearing in tax return repayment sections should be redacted as a default. These are directly usable for fraud. A mortgage broker does not need a client's bank account number to assess income. Remove it.

For a practical overview of PII categories and how to identify them systematically, our guide to what is PII covers the full taxonomy in plain terms.

Pixel-burn redaction versus overlay: why the method matters

Overlay redaction - placing a black box over text in a PDF - is not the same as removing the underlying data. The text layer remains in the file. Anyone with basic PDF tools or the ability to select-all and copy text can recover it. The ICO's guidance on disclosing documents securely specifically warns against redaction methods that leave underlying data recoverable.

Pixel-burn redaction converts the document page to an image and permanently destroys the text layer. The underlying data is gone. A mortgage broker, investor, or auditor who receives a pixel-burned document cannot recover what was redacted regardless of what tools they use. This is the standard that professional redaction requires.

Our guide to how to redact a PDF covers the technical difference between overlay and pixel-burn redaction in detail, including how to check whether a redaction is actually permanent.

Building a repeatable process for your firm

For sole practitioners and small firms handling occasional document sharing, an ad hoc approach works until it doesn't. When a trainee forwards an unredacted P60 to a financial adviser because nobody told them that NI numbers should come out first, that is a data breach. Under UK GDPR, a data breach that poses a risk to individuals' rights and freedoms must be reported to the ICO within 72 hours.

A simple written procedure reduces that risk significantly. The procedure does not need to be elaborate. It needs to answer three questions: Who checks outgoing documents for personal identifiers before they leave the firm? What categories of identifier are always removed before third-party sharing? What tool is used to apply permanent redaction?

For firms handling payroll for multiple clients, consider a standard checklist at the point of external sharing: has the document been reviewed for NI numbers and bank details? Has the client confirmed what the recipient actually needs? Has the redaction been verified in the output file?

Our redaction policy template provides a starting framework that can be adapted for accountancy and bookkeeping firms.

Related guides: document redaction for HR teams | how to redact a PDF | what is PII

Documents are processed in your browser and never uploaded to our servers.