Serbia’s Plan for Personal Data Centralisation Carries Risks


A Serbian plan to centralise data storage brings with it big potential benefits, but risks too.

When a baby is born in Serbia, his or her parents receive a birth certificate and health card in the post, listing the newborn’s residential address, health card number, and ‘JMBG’, the unique identification number assigned to each and every Serbian citizen.

This data is stored in centralised data centres, yet when the child goes to see the doctor or, eventually, the dentist, the parents have to take all the child’s records on paper, since no hospital, medical clinic, or dental practice is yet part of any unified data network.

That should change by 2025 under a 51.6-million-euro government plan to upgrade data management and storage at Serbia’s two data centres – in the capital, Belgrade, and the central town of Kragujevac – and link healthcare providers into a single network. Within two years, the aim is to have 11 per cent of providers inside the network, and all their data should be stored in the data centres.

In June, the government awarded tenders worth 3.7 million and 3.4 million euros respectively to Comtrade System Integration to upgrade the infrastructure of the Belgrade and Kragujevac data centres and connect them.

The aim is to help speed the development of the state’s eGovernment service and cut costs of procurement, management and maintenance of Serbia’s information and communications technology infrastructure.

Under a programme adopted in April, the Kragujevac data centre will provide a State Cloud and serve as backup for the data centre in Belgrade.

But with centralisation of data storage come worries about the safety of that data and citizen privacy. Health Minister Danica Grujicic said in June she had her own concerns.

“What I don’t like when it comes to the introduction of [unified] electronic documentation is insufficient data protection,” Grujicic was quoted as telling the Serbian newspaper Nova ekonomija. “Data are currently located on servers in hospitals and clinical centres and will all be transferred to the [National] Data Centre. All the data should be there, with the fact that we have to have a data backup, and it is logical that that backup should be in the Ministry of Health.”

Risk of political abuse

It is currently unclear what data is stored in Serbia’s state data centres.

All that is publicly known is that, according to the Electronic Government Development Programme 2023-2025, over the past year some 36 state, provincial or local government bodies submitted their data to a data centre. By 2025, the goal is for 60 to have done so.

That data concerning the registration of newborn babies is stored in the data centres is clear because it is part of a project called ‘Welcome Baby to the World’, which has been touted extensively to promote the benefits of the eGovernment system and the first data centre that opened in Belgrade in December 2017.

The national programme also states that in 2022 83 registers and other software solutions were stored in the state data centres and that by 2025 the aim is to reach 120. But neither in the programme or the reports of the data centres or the Office for IT and eGovernment is it stated what data is in these registers.

The Office for IT and eGovernment did not respond to questions submitted by BIRN.

What is known is that the government has already concluded several commercial contracts with the likes of American Oracle, Chinese Huawei and other foreign companies to store their data in Kragujevac.

Science and Technological Development Minister Jelena Begovic has also announced that data on genomes sequenced at the Institute for Molecular Genetics and Genetic Engineering will be anonymised and stored in Kragujevac. Begovic told Nova ekonomija that scientists would be able to access the data via the NVIDIA supercomputer.

The data centre in Kragujevac is specially designed for data storage, in a location considered less risky.

Its data protection measures are much better than those of individual state institutions, said Ana Toskic Cvetinovic, executive director of Partners Serbia, which, among other things, works on promoting personal data protection.

“For example, what happened with the Cadastre [records] last year shows how unprepared individual institutions and their IT sectors are to manage and protect data,” Toskic Cvetinovic told BIRN, referring to a hacker attack on the Serbian cadastral register in June 2022 that blocked the system for a week.

But it’s not only hackers who pose a threat. Data is at risk of political abuse, too.

“The issue of data storage can be more problematic from the political side of potential abuses and the introduction of new digital surveillance systems” than from “system intrusion by hackers”, Toskic Cvetinovic said. “Such attacks are of course possible, but I think that those risks exist more for individual systems than for the data centre.”

However, if there is an attack, she warned, the fact such databases are centralised magnifies the potential impact.

“These are not only state bases; the idea is to give that storage space to other domestic and foreign businesses as well.”

Source : Balkaninsight