When should I use OFFICIAL – INTERNAL and SENSITIVE security labels?

28 July 2022

The Office 365 sensitivity labels feature was rolled out to all UQ staff in late 2021 as part of the University’s continued commitment to improving information security. Sensitivity labels use information security classifications to categorise the type of data that is being shared in Microsoft Office 365 documents. Information that is labelled SENSITIVE or PROTECTED is also encrypted to provide added security.

Most communications within UQ should be labelled as OFFICIAL – INTERNAL

OFFICIAL – INTERNAL is UQ’s default information security classification and sensitivity label. Information should be labelled as OFFICIAL – INTERNAL if the information is private, with access restricted by business, academic, or research needs. For example, if an organiser of an upcoming selection panel sends a list of names and positions to members. This information is private, however the document doesn’t contain higher-level human resources information (e.g., tax file numbers, bank account details), and if it were breached, it would be unlikely to harm the individual or the University. Therefore, the sender labels the email as OFFICIAL – INTERNAL. Like the UNOFFICIAL label, there is no encryption associated with the OFFICIAL - INTERNAL label. Instead, the label assigns a persistent metadata label, promoting better data safety awareness and conscious decision making when creating documents and files.

It should be noted that, despite being called INTERNAL, this label can be used for communications leaving UQ, provided that they do not contain information that could harm an individual or the University.

Communications carrying private information should be labelled as SENSITIVE

When information is labelled as SENSITIVE, it’s to protect UQ, another organisation, or individuals from harm that may occur in the event of accidental or malicious activity. For example, an admin officer wishes to email the budget for the next quarter to a colleague, for the purpose of informing them of a potential surplus. This information could cause serious harm to UQ if released publicly, and access is only for specific purposes, so it needs to be appropriately secured. As a result, the sender labels the document as SENSITIVE, meaning that it will be automatically encrypted, and parameters set so only the recipient can view it. Where possible, SENSITIVE documents should not be sent as email attachments.  Instead, the relevant database (e.g., OneDrive) and its integrated sharing mechanisms should be used. This ensures that the information is appropriately secured, ensuring the privacy of the subject.

SENSITIVE is the default classification for research data; however this can vary based on the information and its level of confidentiality.

Test your knowledge

Do you know what to classify certain kinds of information? Test your knowledge of the information security classifications with our quick quiz!