Security Policy

Security Compliance Policy

Sparrow provides leave administration for its clients’ employees. Sparrow is based in San Francisco, California and provides services across the United States. All data controlled and processed by Sparrow occurs within the United States. The employee is a beneficiary of the contractual agreement between Sparrow and its employer. Sparrow onboards the employee, explains how the leave administration process works in his or her situation, and collects only the minimum necessary information to administer the leaves it manages.

Sparrow uses model forms designed by the promulgating authorities to collect only that information required under the law. Any health information we do need to collect is limited to a health certification that describes the employees’ functional limitations to perform his or her job. The employee, or representative where applicable, takes an active part in this data collection and has a view of and access to the collected information on his or her Sparrow dashboard with the opportunity to correct data, as needed.

Sparrow does not share any personal data with any person or organization outside the required protocols/organizations for successful leave administration unless required by law. In order to further protect the employees’ data, Sparrow implements established security protocols. These protocols assist to establish a framework for providing the data we collect with reasonable safeguards. Some of the ways we safeguard data includes, but is not limited to, following governance standards, establishing security policies, encrypting data, limiting access to data, and training personnel in sensitive data handling and security awareness practices.

As new privacy and security standards are presented, we often use them as a guide to better protect our business and your employees’ data and privacy. This means that, even when we are not required to comply with these standards, we do our best to engage best practices that will further enhance data and privacy protections for your employees.

FAQ

Is Sparrow HIPAA compliant?

HIPAA applies specifically to health plans, health care clearinghouses, and health care providers. Sparrow is authorized to collect information for leave management in accordance to employment law, the Department of Labor (DOL), and the Equal Employment Opportunity Commission (EEOC). While HIPAA does not apply to Sparrow’s activities, we take security very seriously and strive to align with the security elements of HIPAA, also known as the Federal Privacy Act, that requires reasonable administrative, technical, and physical safeguards in order to protect your employees’ data.

Is Sparrow CCPA compliant?

The California Consumer Privacy Act (CCPA) is a data privacy law that regulates businesses that collect or sell California consumer data and satisfies one of the following thresholds: (1) generates $25 million or more in annual revenue; or (2) possesses personal data for more than 50,000 “consumers, households, or devices;” or (3) earns more than half of its annual revenue selling consumers’ personal data. While Sparrow does not meet these entity requirements, we consider your employees’ privacy rights to be fundamental to our relationship. In that respect, we do not sell information to third parties, we explain what information is collected, we give the employee access to their information, and we do not discriminate against them when they choose to exercise their privacy rights.

Is Sparrow GDPR compliant?

Sparrow is based in the State of California in the United States. All of Sparrow’s operations, including data control and processing is located within the United States. Sparrow does not target or profile data subjects within the European Union. Therefore, Sparrow’s activities fall outside the scope of Union law and Sparrow is not required to comply with GDPR. That said, we strive to meet the accountability principles of GDPR:

  1. To process data lawfully, fairly, and in a transparent manner;
  2. To collect data for a specific, legitimate purpose and to not further process it in a manner incompatible with that purpose;
  3. To only collect what is necessary for the purpose of the processing;
  4. To maintain accuracy of the data;
  5. To minimize the retention of data with personally identifiable information; and
  6. To process in a manner to ensure appropriate security.

The details of our security implementation may evolve to address current threats, changes in standards, and our business environment, so if you have any questions about our most recent implementation of these policies, please direct your inquiry to [email protected]