Considerations for policy and practice
In light of the analysis above, policymakers should consider the following.
Ensuring the provisions of POPIA are adhered to
This includes ensuring compliance with POPIA’s processing conditions and risk-mitigation measures are incorporated into implementation, for instance:
For the collection of beneficial ownership information in a central register:
- clearly establishing a purpose and legal basis compliant with POPIA, in law, for the collection and processing of personal information as part of BOT;
- ensuring the minimisation of data collected as part of BO disclosures to meet the established purpose, in line with POPIA requirements; and
- clarifying how the legal definition of beneficial ownership applies to minors in guidance or regulations.
For a publicly accessible register:
- adopting a layered or tiered access approach in which personal data (e.g. home addresses, ID numbers, and full dates of birth) are only available to specific users, such as law enforcement, and a smaller subset of data is published to the broader public (e.g. full name, month and year of birth), provided this information is sufficient to unambiguously identify beneficial owners; and
- implementing a protection regime for individuals who are at a demonstrated increased risk of personal harm as a result of publishing certain information to apply to have some or all information withheld from publication.
Consideration should also be given to the further processing of BO data. For example, many jurisdictions prohibit the use of information from a BO register for commercial purposes. It may be prudent to have processing conditions in line with POPIA placed on BO data, in addition to the safeguards discussed below.
Implementation of safeguards in the publication of gender data and data on minors
For either a non-public or public register, there is a need for clarity on the purpose of the collection, processing, and publication of sex-disaggregated data on beneficial owners. Unless it is necessary and justifiable to collect and publish gendered data, anonymisation of the data or similar protective mechanisms could achieve the legitimate interest sought. Data can also be collected and used for internal purposes (e.g. B-BBEE verification) and withheld from publication, as part of a layered access approach.
Implementation of gender-responsive policies in BOT policies
BOT policies can be gender responsive in their approach, even if they do not seek to promote gender equality as a primary aim. A gender-responsive approach implies that risks of potential harm associated with the collection and processing of gender information should be assessed and mitigated where possible, even if not required under data protection legislation.
Adoption of internal policies that ensure the protection of data subjects’ personal information
It may be relevant to put internal protection policies in place, such as implementing an internal access log or requiring competent authorities to specify their purpose for accessing data or specific, special personal information which is not made available to the public. This is similar to Regulation 18 of the National Credit Act, 2005, which sets out acceptable reasons for requesting a credit bureau record and credit bureaux.  These measures could also be applied to public access, but they may decrease data usability and the extent to which the stated purposes are achieved.
 Regulations made in terms of the National Credit Act, 2005 (Act No 34 of 2005), https://static.pmg.org.za/docs/2006/0605regulations.pdf.