How is our sensitive health data deal with by the Social Security System and private companies?

Blog Personal Data
Cover of the research "Exploratory analysis on some personal data protection practices in the social security system of the Paraguayan state"

The third investigation on the series of Personal Data and Privacy was launched this week. The research addresses health rights and labor law, with recommendations that aim to guide State action on the treatment of personal health data in Paraguay, where the regulatory system still does not comply with international standards and fundamental principles on democracy, dignity, freedom and international human rights law.

A first approach to this issue was addressed in the first part of the series from the public and private sectors, and carried out between this year and the past.

Made in partnership with Privacy International, a pioneering organization in Great Britain in the defense of privacy around the world, the study was aimed at analyzing the implementation of regulations in force in Paraguay with a direct impact on the human rights of people insured in the country’s public health system.

Specifically, the resolutions of the Management Board “By which approves the regulation that establishes the presentation of the admission medical examination of the workers in charge of the employers”1 and “That forces patients and authorized of the patient to register their fingerprints to withdraw high-cost cancer medications”2, although with different objectives, they directly affect some fundamental rights that were not analyzed at the time of generating these public policies, leaving the people insured in the social security system in high state of vulnerability.

On the other hand, the need to explore the implications of the Annual Medical Exam required by the Ministry of Labor, Employment and Social Security (MTESS) was addressed.

The research was exploratory, conducting a series of interviews with companies in compliance with current labor regulations as well as authorities of the Social Security Institute and the MTESS.

Among the main findings of the research:

In regard to the admisional and anual medical exam:

  • When dealing with the medical examinations required by the IPS and the MTESS, guarantees are needed to ensure that the mechanisms are adequate. That is, that each mechanism is specifically applied to the working conditions that will be developed. For example: the person who works in the administrative area does not need to have a health check done similar to the health exams required to staff working in the medication deposit area.
  • The findings show that, in the case of companies in compliance with the analyzed IPS and MTESSS regulations, the managerial staff and officials in charge of the management of human resources collect health data at discretion and/or intuition, without ethical protocols for collecting sensitive information for each job.
  • One of the people interviewed pointed out that for those companies that outsource the collection of health data, in some cases there is evidence of a request for medical studies greater than necessary. At the request of more studies, the higher is the price charged to employers, violating workers’ rights and enabling situations of vulnerability.
  • The fact that the totality of the companies ensures that the access to health files is exclusive to each worker-that is the owner of the data- stands as highly positive. In the case of companies that keep medical studies, the same thing happens.
  • A worrisome fact related to the previous point is that both the Ministry of Labor and the IPS do not actively assume the role of control in the safeguard of the documentation required by its own regulations and provisions. A worrying gap is identified in terms of a public institution guaranteeing that the security measures of the companies’ health files are preserved according to the appropriate standards.
  • Another worrisome identified trend, points at the lack of a general protocol that considers the validity and destruction of sensitive health data -and data in general- of workers, once the function for which they were collected has been fulfilled.

About biometric data (fingerprints):

  • The collection of biometric data was implemented without an adequate legal framework
  • Biometric data is sensitive data, requiring greater mechanisms than the ones contemplated in the IPS Board of Management. Fingerprinting is not about fingerprints, but about how digital identity is used to determine certain rights.
  • The technology and mechanisms that will be used for the collection, analysis and storage of the biometric data, as well as the scope of this policy, are unknown..
  • The collection of biometric data is disproportionate. Fingerprints can be a control mechanism that could aggravate surveillance practices and harassment of minorities, ethnic groups, immigrants, etc.

Next steps

The challenges mentioned clearly illustrate how the field of technology, health, privacy rights and confidentiality of personal data, become a very complex field, both from the legal point of view and the integrity and dignity of the people. This calls for more attention from the Paraguayan State, as well as it should be a focus of interest of the academy, in the field of health.

The trivialization of the collection and exchange of sensitive health data and fingerprints require greater attention by the competent authorities to control the amount of health data that are currently being collected by public and private sectors. For this, the development of technologies that allow the implementation of standards for the protection of privacy and confidentiality with respect to personal health and biometric data, in order to avoid carelessness by health administrators, will be indispensable.

Finally, it is worth highlighting the need for a broad national debate for the creation of a new law on the protection of personal data based on the highest international standards that comprehensively addresses the problems of privacy and protection of personal data. . It is necessary to have an approach and attention that takes into account the current global situation of technological advances, as well as the impact of these on the rights of people.

You can access the full investigation here.

You can also access our podcast episode about the subject here:


  1. Resolution of the Management Board No. 099-016
  2. Resolution of the Management Board No. 003-050 / 16