Purpose ”“ The research aims to observe and describe the legal framework and implementation practices of personal databases management in the Social Security Institute (IPS), the most important public social insurance system in Paraguay. Methodology ”“ The research is exploratory, consisting on both substantive and procedural law analysis of health information storage regulations and its compliance. Also, interview to private companies, the public sector and one qualified worker insured by IPS are conducted to better understand collection, storage and maintenance of health records databases. Findings ”“ Research indicates evidence that biometric data storage of insurers does not have adequate regulation for its protection. It also shows evidence that private companies don’t deliver by default medical records to workers, as well as potential access to these records by administrative personal. Evidence also signals that clinics performing medical examinations request more sensitive information than required by law. Research limitations It is identified that a broader private company sample could be of use to better understand workers health record collection. Also, third party auditing IPS IT systems could be of use to further understand information management practices and vulnerabilities. Practical Implications ”“ A series of discretional practices are identified, signaling regulatory standardization urgency for all actors. A comprehensive Protection of Personal Data Act is needed. Originality ”“ No comprehensive research targeting the IPS system and its health personal data management processes is identified. The research is considered an initial contribution to the state of the art on the subject and specially to biometric collection and storage.