In the API calls there is a lot of information that could be considered personal information and I would suspect may be regulated under GDPR or ICO guidelines.
But the data is released as OGL,
Eg, All the ‘officer’ related endpoints return addresses, previous names and possibly eea, or non-eea IDs if available.
I suspect that any OGL data will also need to follow ICO or GDPR guidelines, but I can’t find any guidelines in the API docs about which data is actually legally considered personal data in the Companies House API, and if so, why is it even there?
I’ve been looking into this recently. The data is not published under OGL - instead it’s made available by statute, with no licencing restrictions. There is some analysis here:
Even though the data is in the public domain, Companies House is also legally allowed to publish personal data without restrictions under Section 34 of the DPA
End-users processing the API data separately need to ensure they meet all the conditions for having a legitimate purpose to process the personal data under the Data Protection Act 1998 (Schedules I & II apply in particular), and follow all the other responsibilities under the DPA as data controller and/or processor.
The ICO’s general guidance applies in other words, https://ico.org.uk/for-organisations/guide-to-data-protection/key-definitions/ putting the onus on the users of the API to determine whether a particular field or datum counts as personal data or not. I’d suggest that the names of people (eg officers, beneficial owners, shareholders), and partial dates of birth might be the main attributes, but alone they might not be sufficient to identify a living individual due to the absence of other identifying / corroborating data, such as full date of birth, current address, town of birth, passport number, etc. It’s possible the data doesn’t count on its own as personal data under the DPA, but it might do if an API user combines it with data obtained from other sources.
The DPA might also not apply in some circumstances - it only extends to data controllers with a legal presence in the UK, so API consumers from outside the UK may have to satisfy their own local data privacy requirements. There are other exemptions, for example if the data is being processed for journalistic or research reasons.
I can imagine that there are no guidelines because Companies House aren’t actually responsible or accountable for what the end-user does with the data. They’re just following their basic purpose defined in legislation to make available the company register for public inspection. It’s really up to the ICO (or the courts) to deal with any subsequent misuse of the data under the DPA.
I can confirm that Companies House makes the public register, including personal data, available by statute rather than publishing under OGL. The Companies Acts require the registrar of companies to make information, including some personal data about company officers, available for public inspection. We place no restriction on the subsequent use of the data, other than some minor points outlined at the following link:
Any personal data that we process will be governed by the GDPR from May next year, but we are awaiting further detail to understand exactly what GDPR will mean for the public register. We do not expect GDPR to have any impact on the re-use of information on the public register, or on the basis on which this information is published.