AI Document Redaction: Protecting TFNs and ABNs Before Sharing
Manual redaction in Adobe is slow and error-prone. AI-powered PII detection catches what humans miss, in seconds, not hours.
An accounting firm uploads a client's tax return to share with an auditor. The return contains the client's Tax File Number, ABN, bank account details, and home address. Manually redacting these in Adobe Acrobat takes 15–20 minutes per document, and misses things. AI-powered redaction trained on Australian identifiers turns that into a two-minute review — and closes a real compliance gap.
The manual redaction problem
Manual redaction is slow, inconsistent, and error-prone. Adobe Acrobat's redaction tool requires you to find each sensitive item, draw a box around it, and apply the redaction. Miss one TFN on page 47 and you've just disclosed it to someone who didn't need to see it. Worse, a common shortcut — drawing a black box over text without flattening — leaves the underlying characters selectable, so the "redacted" data is one copy-paste away. Multiply careful, correct redaction across dozens of documents per engagement and you've got hours of tedious, high-stakes work that tends to get rushed at the worst possible moment.
Why this is a compliance issue, not just a chore
For Australian firms, leaking a client identifier isn't a tidiness problem — it's a regulatory one. Under Australian Privacy Principle 11, you must take reasonable steps to protect personal information from unauthorised disclosure. Tax practitioners are separately bound by the Tax Practitioners Board Code of Professional Conduct, which requires confidentiality of client information. And if a Tax File Number or bank detail is exposed in a way likely to cause serious harm, the Notifiable Data Breaches scheme can compel you to notify both the affected individuals and the OAIC. A single missed TFN in a shared data room can trigger all three.
How AI changes the workflow
AI-powered PII detection scans the entire document in seconds. It combines two techniques: deterministic pattern matching (regular expressions for known formats like TFNs, ABNs and BSBs, with checksum validation to cut false positives) and large language model analysis for the contextual items a regex can't catch — names, residential addresses, and unusually formatted identifiers buried in prose. ShareAndGo uses Google's Gemini for the contextual pass on top of the pattern layer. The output is a structured list: every sensitive item, its type, its location, and a confidence score.
Australian-specific patterns
This is where generic tools fall down. Most off-the-shelf PII detectors are trained on US Social Security Numbers and UK National Insurance Numbers and simply don't recognise Australian identifiers. A purpose-built system detects:
- Tax File Numbers — 9 digits, validated with the ATO's check-digit algorithm to avoid flagging every 9-digit string
- Australian Business Numbers — 11 digits with ABN checksum validation
- BSB and bank account numbers — 6-digit BSBs and 8–12 digit account numbers
- Medicare numbers — 10–11 digits with the Medicare check digit
- Australian phone, address and postcode formats
The review-then-redact workflow
AI detection isn't magic — it needs human review, and a responsible product makes that the default, not an afterthought. The workflow shows the admin every detected item with a severity rating: high for TFNs and bank details, medium for residential addresses, low for phone numbers. The admin toggles which items to redact and which to leave visible (sometimes you want the ABN visible). A redacted copy is generated for sharing; the original is preserved for the admin's own records. Guests only ever see the clean version.
Redacting a whole room at once
Per-document review is fine for one file. For a 200-document due-diligence room it's not. Batch redaction runs the same detection across every document in a room and lets you review the findings in one pass, with a dry-run mode that reports what would be redacted before anything is committed — so you can sanity-check the rules against a real room without touching the originals. That's the difference between "we have a redaction feature" and "we redacted the whole room before the auditor logged in."
A quick cost comparison
Say an engagement involves 40 documents. At 18 minutes of careful manual redaction each, that's 12 hours of senior time. At a $180/hour charge-out rate, you're either eating ~$2,160 of cost or passing it to the client. Cut the per-document time to a two-minute review and the same task is under 90 minutes — and it's more reliable, because the AI doesn't get tired at 4pm on a Friday.
Frequently asked questions
Does the original document get changed? No. A redacted copy is generated for sharing; the admin keeps the unredacted original. Where is the document processed? Within ShareAndGo's Australian (Sydney) infrastructure — your client data doesn't leave the country. Can I trust the AI to catch everything? Treat it as a fast, thorough first pass that you confirm — that's exactly why the workflow is review-then-redact, not auto-redact-and-hope.
What this means for your practice
A 20-minute manual task becomes a 2-minute review. Consistency improves because detection is systematic. Compliance improves because the things APP 11 and the TPB Code care about stop slipping through. And your clients' most sensitive data stays protected by default — which is the whole point.