Sensitivity labels – when should you use them?

11 August 2021

Office 365 sensitivity labels are being rolled out to all UQ staff in September. 

As you get acquainted with Office 365 sensitivity labels, you may be asking yourself, what label should I apply, when? How do know when to use a label? Is there certain content that shouldn’t be sent to CRM systems and shared mailboxes? Below, find out some key rules on when you should and shouldn’t use sensitivity labels, and how they can assist you in your everyday decision making. Remember, Office 365 sensitivity labels align with UQ’s Information Security Classifications.

Any emails that are not UQ related should be labelled UNOFFICIAL 

For example, you are emailing your partner (who does not work at UQ) about your personal dinner plans. Because the information is not associated with the University and does not contain confidential personal information, it does not pose a potential threat. Therefore, you label the email as UNOFFICIAL. 

There is no encryption associated with the UNOFFICIAL label, it just assigns a persistent metadata label. This is also the case for the OFFICIAL – PUBLIC label, which is for information that has been published publicly (available without a UQ login).

Most UQ emails should be labelled OFFICIAL – INTERNAL 

This is UQ’s default Information Security Classification. Information should be labelled as OFFICIAL – INTERNAL if, for example, a supervisor is sending their manager the team leave calendar for the next three months. The information is private, with access restricted by business (or academic, or research) need. However, the document doesn’t contain higher-level human resources information (eg. tax file numbers, bank account details), and if it were breached, would be unlikely to harm the individual or the University. Therefore, the sender labels the email as OFFICIAL – INTERNAL. Like the UNOFFICIAL label, there is no encryption associated with the OFFICIAL - INTERNAL label. Instead, the label assigns a persistent metadata label, promoting better data safety awareness and conscious decision making when creating documents and files. 

Emails sent to CRM systems and shared mailboxes should not be labelled as SENSITIVE or PROTECTED 

Emails labelled as SENSITIVE or PROTECTED have an extremely limited audience which is controlled by strict need. Therefore, they should not be sent to CRM systems and shared mailboxes, where they can be easily viewed by a less restricted audience. For example, an admin officer wishes to email medical records to a colleague, for the purpose of setting up support mechanisms for a student. This information could cause serious harm (breach of privacy) to the student if released publicly, and access is only for specific purposes, so it needs to be appropriately secured. As a result, the sender labels the email as PROTECTED, meaning that it will be automatically encrypted, a header and footer added indicating its classification, and the receiver will have to open the message to read it, unable to preview it in their inbox. This ensures that the information is appropriately secured, ensuring the privacy of the subject. Emails sent to CRM systems and shared mailboxes should mostly be OFFICIAL – INTERNAL.

Read more examples of when to use each Office 365 sensitivity label.

Latest