dzr
STATE AUDIT OFFICE
GUARDIAN OF PUBLIC FUNDS

Only 13% of State Institutions Use Data from the Central Population Register

18.08.2025

STATE AUDIT OFFICE
Press Release
-

Skopje, 19.08.2025

 

Only 13% of State Institutions Use Data from the Central Population Register

 

The conducted audit revealed that only 13.46% of state institutions connected to the Interoperability Platform use data from the Central Population Register while the percentage is nearly three times higher among private companies, reaching 36,36%. Additionally, the absence of systematic controls for data exchange between companies indicates a risk of bypassing the rules for using the unified register, raising concerns about the security of citizens’ personal data

 

The State Audit Office conducted a compliance audit on topic “Compliance of Data Security Procedures from the Central Population Register” at the Ministry of Digital Transformation”, the legal successor of the Ministry of Information Society and Administration (MISA), covering the period from 2019 to 2024.

Based on the audit conducted, and through the application of audit techniques and methodology, reasonable assurance was obtained that, in all material aspects, operations are in compliance with the relevant legal and sublegal regulations, strategic documents, agreements, and established policies. However, several issues were identified, including: issues related to human resource capacity, undefined sensitive job positions, lack of procedures for activities related to the functioning of the Central Population Register (CPR), absence of procedures for verifying compliance with data quality standards, lack of defined standards for IT security implementation, and absence of systemic controls for data exchange between institutions to prevent circumvention of the CPR.

The Central Population Register is an integrated database of personal data of the population in the Republic of North Macedonia maintained in electronic form by the Ministry of Digital Transformation. The database is generated through automatic integration from individual databases, managed by competent authorities, such as the Ministry of Internal Affairs and the Ministry of Digital Transformation – Civil Registry Office and the competent authority responsible for managing the Address Register of the Republic of North Macedonia.

A diagram of a diagram

Description automatically generated

 

The Law on the Central Population Register regulates the management of the individual databases, as well as the access to and processing of data contained in the register by other entities. This data refers to the personal data of the citizens of the Republic of North Macedonia, as well as data on foreign nationals with a regulated stay longer than one year.

The audit covered two key areas, including: the legal framework and the security of personal data within the Central Population Register (CPR), as well as its data sources - the Ministry of Internal Affairs, and the Civil Registry Office. Each data source is obligated to integrate any entry, modification, or deletion made in its individual database into the CPR in real time, with a maximum delay of five minutes from the moment the entry, modification, or deletion is properly executed. However, the analysis showed that data synchronization between the sources and the CPR takes place on a daily basis, which allows for frequent changes in the source databases within a 24-hour period without real-time synchronization with the CPR.

This situation may lead to potential discrepancies between the data in the CPR and data held by the source institutions, thereby increasing the risk that institutions may use and process outdated data about citizens.

The analysis of the implementation of the legal and sublegal regulations related to the CPR revealed the absence of mechanisms for verifying standardized data quality in the data sources, as well as the lack of a Rulebook on standards and rules for the security of IT systems used by the authorities for electronic communication.

In addition, discrepancies exist concerning the requirements for real-time integration and synchronization from source systems. Moreover, the register of legal entities with access to the CPR lacks complete information on those entities.

Access to data from the Central Population Register is enabled exclusively through the Interoperability Platform, and institutions and entities are required to ensure compliance with technological standards in order to gain access to CPR data.

The state administration bodies, local self-government units, and other state institutions established in accordance with the Constitution and the law, which provide services for the exercise of rights and obligations of interest and need to the population of the Republic of North Macedonia, are required to use data from the Register solely for the purpose of fulfilling their legally defined duties or carrying out their registered activities, and have the right to access CPR data. However, only 52 institutions and 11 private companies are connected to the Interoperability Platform which indicates a limited application of the system and underutilization of its capacity.

The analysis of legal entities connected to the Interoperability Platform showed that state institutions use data from the CPR at a significantly lower rate – only 13.46% - compared to private companies, where the usage rate is 36.36%.

A graph with blue and orange squares

Description automatically generated

slika

 

The analysis of the submitted reports on data requests from the CPR revealed that, since the establishment of the Register, a total number of 19,769,806 data calls have been made, out of which 44,261 were unsuccessful. The success rate of the calls stands at 99.78%, indicating stable technical functionality of the system.

 

Year

Number of successful data calls

Number of unsuccessful data calls

Total number of calls

2019

9.206

0

9.206

2020

255.336

373

255.709

2021

13.087.404

2.473

13.089.877

2022

858.105

9.499

867.604

2023

3.904.737

8.258

3.912.995

2024

1.610.757

23.658

1.634.415

Вкупно

19.725.545

44.261

19.769.806

 

The published register of competent authorities and other entities that use CPR data, available on the website of the Ministry of Digital Transformation contains incomplete records regarding these legal entities, as well as information on which data the citizens are permitted to access. These conditions are not aligned with the legally defined competences of the institutions, which may compromise personal data protection and reduce public trust in institutions.

Regarding personal data security within the CPR and its data sources, it was determined that there are no systematic controls in place for data exchange between institutions that would prevent the bypassing of the CPR. Additionally, there are no written procedures for granting access to legal entities that use the data, nor are there control mechanisms for verifying compliance with minimum standards for administrative security of the systems used by the data sources.

The audit also revealed an insufficient number of employees engaged in performing tasks related to the fulfillment of duties across multiple sectors and departments, as well as a lack of heads in key organizational units.

Additionally, sensitive job positions are not defined in the act on job systematization within the Ministry of Digital Transformation, and there are no established procedures for activities related to the functioning of the CPR by the competent ministry.

To address the identified issues, recommendations have been made with the aim of taking measures and actions to improve the situation through strengthening the human capacities, introducing written procedures and manuals, implementing system controls for data security and exchange, as well as establishing automated monitoring of discrepancies in personal data records.

 

Press Contact:

Albiona Mustafa Muhaxhiri  +389 72228 203 [email protected] 
Mijalche Durgutov  +389 70 358 486 [email protected] 
Martin Duvnjak    +389 75 268 517 [email protected]