I've been looking into this recently. The data is not published under OGL - instead it's made available by statute, with no licencing restrictions. There is some analysis here:
Even though the data is in the public domain, Companies House is also legally allowed to publish personal data without restrictions under Section 34 of the DPA
End-users processing the API data separately need to ensure they meet all the conditions for having a legitimate purpose to process the personal data under the Data Protection Act 1998 (Schedules I & II apply in particular), and follow all the other responsibilities under the DPA as data controller and/or processor.
The ICO's general guidance applies in other words, https://ico.org.uk/for-organisations/guide-to-data-protection/key-definitions/ putting the onus on the users of the API to determine whether a particular field or datum counts as personal data or not. I'd suggest that the names of people (eg officers, beneficial owners, shareholders), and partial dates of birth might be the main attributes, but alone they might not be sufficient to identify a living individual due to the absence of other identifying / corroborating data, such as full date of birth, current address, town of birth, passport number, etc. It's possible the data doesn't count on its own as personal data under the DPA, but it might do if an API user combines it with data obtained from other sources.
The DPA might also not apply in some circumstances - it only extends to data controllers with a legal presence in the UK, so API consumers from outside the UK may have to satisfy their own local data privacy requirements. There are other exemptions, for example if the data is being processed for journalistic or research reasons.
I can imagine that there are no guidelines because Companies House aren't actually responsible or accountable for what the end-user does with the data. They're just following their basic purpose defined in legislation to make available the company register for public inspection. It's really up to the ICO (or the courts) to deal with any subsequent misuse of the data under the DPA.