When should I use each Office 365 Sensitivity Label?
This page provides greater details on when to use each Office 365 Sensitivity Label and some example scenarios.
What labels are there?
The Office 365 Sensitivity Labels are aligned with UQ's Information Security Classifications. They are:
- UNOFFICIAL
- PUBLIC
- OFFICIAL
- SENSITIVE
- PROTECTED
You can also use the information security classification decision tree (PDF, 84.8 KB) to help determine what label is appropriate.
Please note: UQ is applying minor changes to its sensitivity labels as part of updates to the Information Security Classification Procedure.
- OFFICIAL-PUBLIC becomes PUBLIC
- OFFICIAL-INTERNAL becomes OFFICIAL (this is the default sensitivity label classification).
These changes will be applied to UQ’s sensitivity labels on Friday 1 March. Once the sensitivity label names are updated, any files and documents previously classified as Official-Public and Official-Internal will carry the updated label names. There will be no change to the functionality of sensitivity labels, or the controls applied for each classification.
Examples of when to use
For more detail about when to use each label, click on the relevant one below. The scenarios are based on UQ’s Information Security Classifications. For more information about each classification, click here.
UNOFFICIAL
When to use
Use this for information, files and emails that are non-work related.
Example of use
An admin officer is emailing their partner about their personal dinner plans. Because the information is not associated with the University and does not contain confidential personal information, it does not pose a potential threat. Therefore, the sender labels the email as UNOFFICIAL.
Is there any encryption associated with this label? There is no encryption associated with the UNOFFICIAL label. Instead, the label just assigns a persistent metadata label.
Will there be any indications to the receiver that the label has been used? If the recipient does not have Office 365 Sensitivity Labels enabled, they will not notice any change. If they do, they will simply see an "UNOFFICIAL" tag associated with the email.
Why should this label be used? The UNOFFICIAL label promotes better data literacy and conscious decision making when creating documents and files. This is helpful when handling more confidential information.
When not to use this label
- Do not use this label for anything work-related.
PUBLIC
When to use
Use if the information is authorised for public access.
*This information does not necessarily have to be available in the public domain.
Example of use
A course coordinator emails a tutor the next semester’s course outline, which has updated assessment due dates. Because the rest of the information is already published online, available to the general public (not requiring a UQ login), it is considered to have an insignificant impact in the event of an accidental leak or malicious breach. Therefore, the sender labels the email as PUBLIC.
Is there any encryption associated with this label? There is no encryption associated with the PUBLIC label – instead, it assigns a persistent metadata label.
Will there be any indications to the receiver that the label has been used? If the recipient does not have Office 365 Sensitivity Labels enabled, they will not notice any change. If they do, they will simply see an "PUBLIC" tag associated with the email.
Why should this label be used? Like the UNOFFICIAL label, the PUBLIC label promotes better data literacy and conscious decision making when creating documents and files. This is helpful when handling more confidential information (SENSITIVE or PROTECTED labelled).
When not to use this label
- Do not use this label for non-work-related content.
- Do not use this label for correspondence with external recipients where the content would not be appropriate for public view.
OFFICIAL
When to use
Use this for information that would be unlikely to cause harm to UQ, another organisation or an individual if released publicly.
Example of use
A supervisor is sending a manager the team leave calendar for the next three months. The information is of a private nature, and will not be accessible to the general public, with access restricted by business (or academic, or research) need. However, it doesn’t contain higher-level human resources information (eg. Tax file numbers, bank account details), and if it were breached, would be unlikely to harm the individual or the University. Therefore, the sender labels the email as OFFICIAL.
Is there any encryption associated with this label? There is no encryption associated with the OFFICIAL label. Instead, the label assigns a persistent metadata label.
Will there be any indications to the receiver that the label has been used? If the recipient does not have Office 365 Sensitivity Labels enabled, they will not notice any change. If they do, they will simply see an "OFFICIAL" tag associated with the email.
Why should this label be used? Like the UNOFFICIAL and PUBLIC labels, the OFFICIAL label promotes better data literacy and conscious decision making when creating documents and files. Communications sent to CRM systems and shared mailboxes should mostly be OFFICIAL.
When not to use this label
- Do not use this label for non-work-related content.
- Do not use this label if for information that could possibly cause harm to UQ, another organisation or an individual if released publicly.
SENSITIVE
When to use
Use this for information that, if breached owing to accidental or malicious activity, could reasonably be expected to cause harm to UQ, another organisation or an individual if released publicly.
Access should be authorised based on strict academic, research, or business need.
Example of use
For emails
A researcher is sending findings to a colleague who is outside UQ and uses a Gmail account. The research data is not yet published. The originality is valuable to the colleagues, potentially being used for an important publication, therefore the data needs to be appropriately secured. To maintain the safety of their work when being sent outside the UQ network, the sender labels the email as SENSITIVE.
The receiver is using a non-UQ email address. How will they be able to read it? If the email has been sent to a non-UQ email address, the receiver will need to log into a protected gateway. The email that directs the receiver to the safe gateway does not indicate that it can only be read by the addressed recipient – therefore, it is recommended that the sender forewarns the recipient by sending a separate OFFICIAL – INTERNAL email.
Will the same standard of encryption be maintained? Yes. One of the key capabilities of Office 365 Sensitivity Labels is that they are persistent, applying to communications and documents, even outside UQ. As with internal communications, the email will be automatically encrypted.
Will the recipient be able to forward the email? SENSITIVE communications cannot be forwarded, and should not be sent to shared mailboxes or CRM systems.
For documents
A course co-ordinator has written the final exam paper for a course. If released, this information could infringe on academic outcomes, giving some students an unfair advantage, endangering integrity of the University. This is like human resources or financial data, posing a significant privacy risk to individuals or the University in the event of a breach. Access to it should be limited to only those for whom it is vital (eg. Other course staff). As a result, the document is labelled as SENSITIVE, meaning that it will be automatically encrypted, and carry viewing, editing, and sharing permissions. The document is stored it in SharePoint, a centrally accessible area.
Who will be able to access this document? Only users who have been granted permission by the document owner will be able to access it. Whether each individual user can read, edit, or have full access can be managed by the document owner.
Will there be any other indications that the document is protected? When the Office 365 Sensitivity Label is prescribed, a header and footer is added, that indicates its classification.
Who will be able to share the document with others? Only the document owner can share with others. It cannot be shared by those who have been granted permission to view or edit.
When not to use this label
- Do not use this label when emailing shared mailboxes or CRM systems. Generally SENSITIVE or PROTECTED information should not be sent to shared mailboxes or CRM systems due to the confidentiality of the content.
- Do not use this label for non-work-related content.
PROTECTED
When to use
Use this for information that if breached owing to accidental or malicious activity could reasonably be expected to cause serious harm to UQ, another organisation or an individual if released publicly.
Access should be authorised based on very strict academic, research, or business need.
Example of use
For emails
Someone wishes to email medical records to a colleague, for the purpose of setting up support mechanisms for a student. This information could cause serious harm (breach of privacy) to the student if released publicly, and access is only for specific purposes, so it needs to be appropriately secured. As a result, the sender labels the email as PROTECTED, meaning that it will be automatically encrypted, and a header and footer added indicating its classification.
How will the recipient be able to read this email? The receiver will have to open the message to read it, unable to preview it in their inbox.
Will there be any other indications that the email is protected? If the recipient is using Outlook, they will see an icon (either a lock, or red dot) in the preview window in their inbox.
Will the recipient be able to forward the email? PROTECTED communications cannot be forwarded, and should not be sent to shared mailboxes or CRM systems.
For documents
A researcher has detailed highly confidential, commercially significant research outcomes for their research project in a word document. This information has not been released publicly, and if release this information could have grave repurcussions for research agreements, ethics and research impact. Access to it should be limited to only those for whom it is vital. As a result, the document is labelled as PROTECTED, meaning that it will be automatically encrypted, and carry viewing, editing, and sharing permissions. The document is stored it in their personal OneDrive.
Who will be able to access this document? Only users who have been granted permission by the document owner will be able to access it. Whether each individual user can read, edit, or have full access can be managed by the document owner.
Will there be any other indications that the document is protected? When the Office 365 Sensitivity Label is prescribed, a header and footer is added, that indicates its classification.
Who will be able to share the document with others? Only the document owner can share with others. It cannot be shared by those who have been granted permission to view or edit.
When not to use this label
- Do not use this label when emailing shared mailboxes or CRM systems. Generally SENSITIVE or PROTECTED information should not be sent to shared mailboxes or CRM systems due to the confidentiality of the content.
- Do not use this label for non-work-related content.