Privacy and data protection considerations
Information about a person’s sex is relevant to their right to privacy. Legally, sex data combined with information about other individual characteristics can constitute personal data, and can fall under the purview of data protection legislation. Personal data can be defined as any information related to an identified or identifiable natural person. Data protection legislation has evolved in many countries to govern the proper use of personal data with respect to privacy. This includes requiring a legal basis to process personal data. Examples of legal bases include consent from the individual and the processing of data being in the individual’s or the public’s interest.
The expanded possibilities of acquiring and processing information about individuals through widespread digitalisation have given rise to various questions and debates in feminist approaches to data. Some criticise policymakers for not recognising gender and sex as a sensitive or special category personal data that requires extra protection against arbitrary uses, such as surveillance and data exploitation for commercial purposes. Furthermore, feminist thinkers caution for gender-specific potential harm caused by processing sex or gender data, such as gender-based violence, harassment, and stalking. Others advocate for the recognition of gender equality as a matter of public interest, thereby providing a legal basis for governments to process data for sex information without requiring free and informed consent by data subjects.
Whether governments process sex-disaggregated BO data they implicitly hold – either as a result of BO disclosures or by integrating BO data with other government datasets – or explicitly collect sex data as a part of BO disclosures, the processing of sex data comes with potential privacy risks for governments to consider, and may create data protection obligations.
Sensitive and special category personal data
The potentially sensitive nature of sex data is reflected in data protection laws across different jurisdictions. Although most data protection laws recognise sexuality, sex life, and sexual orientation as personal and sensitive or special category data, there is no consensus on the category of gender or sex data. In data protection legislation, sensitive data are usually subject to a higher threshold for processing than non-sensitive personal data, for example, by requiring explicit consent.
For example, the European Union’s (EU) General Data Protection Regulation (GDPR) has emerged as the gold standard of data protection. The law has been retained in identical form in the United Kingdom (UK) after leaving the European Union, and it is also used as a model by many countries outside Europe, such as Brazil, Japan and South Africa. GDPR does not recognise gender or sex data as a special category of personal data. In contrast, the Southern African Development Community (SADC) model law on data protection recognises gender as sensitive personal data. Whereas the GDPR is legally binding, the SADC model law is not binding.
Regardless of whether gender or sex information is considered sensitive personal data, a gender-responsive approach to BOT policy implies that risks of potential harms associated with the collection and processing of gender information should be assessed and mitigated where possible. This can help ensure that any risks of harm are proportional to achieving the stated purpose.
Purpose and legal basis for data collection and processing
The processing of personal data requires a clear purpose and legal basis, usually outlined in data protection legislation. Most legal bases require that data processing is necessary for a specific purpose that cannot otherwise be achieved. Further, the legal basis should be established before processing and should be documented. The need to establish a legal basis, and which legal basis is sufficient, will depend on whether gender or sex is considered personal data in local or regional legislation.
The processing of sex-disaggregated BO data for gender equality is likely to expand BOT’s primary purpose. BO data is primarily collected to reveal and identify beneficial owners of companies and this intended use is often specified in law. Using the data provided in disclosures for other purposes, including monitoring gender equality or affirmative action policies, is likely to require a separate legal basis to be established. This could involve, for example, securing consent and informing data subjects of how their data will be used.
One option for governments seeking to use sex-disaggregated BO data for gender equality policy is to include it as a voluntary field in disclosures, whilst explaining the reasons for its collection. Another is to request consent through disclosures for the government to integrate personal data with existing sex-disaggrated datasets. Alternatively, governments can establish legal bases that do not carry the same burden of consent. For example, under GDPR, they may pivot to legal bases such as: carrying out a specific legal obligation, exercising a particular right, or protecting vital interests of the data subject.
Processing personal data to determine sex
Whether the processing of sex data falls under the scope of data protection laws depends on its categorisation. Data processing can include explicitly collecting sex data; cross-checking data against other datasets; using supporting documentation to determine the sex of beneficial owners; and publishing sex-disaggregated BO data. Governments can implicitly determine the sex of beneficial owners by processing specific data points or supporting documentation to verify personal information provided in BO declarations. Depending on the approach and data used, explicit consent may be needed.
For example, governments might attempt to implicitly determine the sex of beneficial owners using the photographs on supporting documentation. Photographs, or data produced by facial recognition systems, may be considered biometric data. The GDPR defines biometric data as “personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images…” Not all jurisdictions may classify static photographs as biometric information. For example, the GDPR only does when following “specific technical processing”, such as “using the image data to create an individual digital template or profile … for automated image matching and identification”.
The GDPR prohibits the processing of biometric data for the purpose of uniquely identifying natural persons, with limited and restrictive exemptions, such as with an individual’s explicit consent. The SADC model law also explicitly prohibits the processing of biometric data by recognising this category of data as sensitive personal data, making it subject to heightened protection requirements. Determining the need for and securing explicit consent to use and collect sensitive personal data for a specific purpose is also important for governments seeking to use implicitly held sex data of beneficial owners for gender equality purposes.
 “GDPR: Personal Data”, intersoft consulting, n.d., https://gdpr-info.eu/issues/personal-data/#:~:text=GDPR%20Personal%20Data&text=The%20term%20is%20defined%20in,identified%20or%20identifiable%20natural%20person.
 In some cases, data exploitation may contribute to the expectation that women should look a certain way and seek to perpetuate traditional gender roles in society. See: “Gender”, Privacy International, n.d., https://privacyinternational.org/learn/gender.
 See: Richard V. Ericson and Kevin D. Haggerty, “The surveillant assemblage”, British Journal of Sociology 51, no. 4 (15 December 2003): 605–622, https://doi.org/10.1080/00071310020015280; Abdo Hassan, “Different Stories are Possible: On Data, Feminism and Inclusion”, Digital Society School, Medium, https://medium.com/digitalsocietyschool/different-stories-are-possible-on-data-feminism-and-inclusion-99ee126bff90; Nabil Hassein, “Against Black Inclusion in Facial Recognition”, Digital Talking Drum, 15 August 2017, https://digitaltalkingdrum.com/2017/08/15/against-black-inclusion-in-facial-recognition/.
 Chenai Chair, “Does data safeguard against gender-based risks in Southern Africa?”, Heinrich Böll Stiftung, 1 July 2021, https://eu.boell.org/en/2021/07/08/does-data-protection-safeguard-against-gender-based-risks-southern-africa.
 See: Pinar Guven and Tatyana Teplova, Towards a Gender-sensitive Framework for Sound Public Governance (Paris: OECD, February 2020), 3, https://www.cig.gov.pt/wp-content/uploads/2020/02/GOV-PGC-GMG2020-DRAFT-Towards-gender-sensitive-framework.pdf.
 See: “REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) GDPR”, Official Journal of the European Union, 27 April 2016, Article 9, Paragraph 1, https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN#d1e1797-1-1.
 See: “Sensitive data” definition, Data Protection: Southern African Development Community (SADC) Model Law (Geneva: International Telecommunication Union (ITU), 2013), 6, https://www.itu.int/en/ITU-D/Projects/ITU-EC-ACP/HIPSSA/Documents/FINAL%20DOCUMENTS/FINAL%20DOCS%20ENGLISH/sadc_model_law_data_protection.pdf.
 “Lawful basis for processing”, Information Commissioner’s Office (ICO), n.d., https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/.
 “Lawful basis for processing”, ICO.
 “What is special category data?”, ICO, n.d., https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/special-category-data/what-is-special-category-data/#scd4.
 See: “REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) GDPR”, Official Journal of the European Union, Article 9, Paragraph 1.
 See: “Sensitive data” definition, Data Protection: Southern African Development Community (SADC) Model Law, ITU, 6.