Office 365 Sensitivity Labels at UQ

Sensitivity labels are labels assigned to a UQ Microsoft 365 document or email to indicate its information security classification.

Depending on the label applied, additional controls to protect the information (e.g. encryption, restriction on access/sharing) may be automatically applied.

Sensitivity labels are an important tool that staff can use to protect and manage access to UQ’s information, particularly information that is confidential or requires access restrictions.

Please note: UQ is applying minor changes to its sensitivity labels as part of updates to the Information Security Classification Procedure.

OFFICIAL-PUBLIC becomes PUBLIC
OFFICIAL-INTERNAL becomes OFFICIAL (this is the default sensitivity label classification).

These changes will be applied to UQ’s sensitivity labels on Friday 1 March. Once the sensitivity label names are updated, any files and documents previously classified as Official-Public and Official-Internal will carry the updated label names. There will be no change to the functionality of sensitivity labels, or the controls applied for each classification.

How to use sensitivity labels

Assigning a label

Once sensitivity labels are enabled for you, every time you create a Microsoft 365 document or email, a label will be applied.

At UQ, the default information security classification is OFFICIAL. Therefore, the OFFICIAL label will be applied by default. If the information contained within the document or email is not classified as OFFICIAL, you will need to assign a different label.

What labels can I apply?

There are five labels, and each corresponds to a UQ information security classification, as defined in the Information Security Classification Procedure. View the information security classification page for more guidance and examples.

Label	When to use	Examples
UNOFFICIAL	Use this for information, files and emails that are not related to UQ work or study.	Emailing your partner about dinner plans A document outlining your holiday itinerary
PUBLIC	Use if the information is authorised for public access. *Note that this information does not necessarily have to be made available in the public domain.	Broad email correspondence appropriate for the wider public PowerPoint intended for public presentation Official documents appropriate for public view (e.g. policies and procedures, University strategy, academic calendar)
OFFICIAL	Use this for information that would be unlikely to cause harm to UQ, another organisation or an individual if released publicly.	Internal email correspondence that is not SENSITIVE or PROTECTED External email correspondence where the content should not be shared with wider public, but would not be classified as SENSTIVE or PROTECTED Administrative documents (e.g. organisational structure, team leave calendar) Business unit processes and procedures
SENSITIVE	Use this for information that if breached owing to accidental or malicious activity could reasonably be expected to cause harm to UQ, another organisation or an individual if released publicly. Access should be authorised based on strict academic, research or business need.	Unpublished research data Personal information of staff, students and others (e.g. Tax File Numbers, passport details, address, date of birth, bank account details, address, phone number) Organisational financial or project data (e.g. budgets, business cases) Exam material Exam results
PROTECTED	Use this for information that if breached owing to accidental or malicious activity could reasonably be expected to cause serious harm to UQ, another organisation or an individual if released publicly. Access should be authorised based on very strict academic, research or business need.	Medical data Personal information regarding persons under the age of 18 Work cover forms National security information Commercially significant research results^.

How to assign a label

OnceSensitivity Labels are enabled for you, you should see a 'Sensitivity' tool in the top ribbon of Word, Excel, PowerPoint and Outlook.

The OFFICIAL label will be applied to any new documents or email by default. If this label is incorrect, select the correct label from the Sensitivity tool's drop down menu.

Demonstration video

This explanatory video guides you through using O365 Sensitivity Labels, on documents and emails.

Top of page

What does each label do?

The below table outlines what each label does when you apply it to a document or email in Outlook.

Label	Word, Excel and PowerPoint	Outlook (Email)
UNOFFICIAL	These labels simply add a persistent metadata label to the document. This helps to increase data literacy and awareness, and should prompt users to become more conscious in their decision-making when storing and sharing emails and files.	These labels simply add a persistent metadata label to the email. This helps to increase data literacy and awareness, and should prompt users to become more conscious in their decision making when storing and sharing emails and files.
PUBLIC
OFFICIAL
SENSITIVE	SENSITIVE and PROTECTED have additional controls, to help protect against unauthorised access, compromise or accidental breaches: The document/email will be automatically encrypted. A header and footer added to clearly denote the content's information security classification. The document owner controls viewing, editing and sharing permissions. The owner will be prompted to assign permissions as soon as they label the document as SENSITIVE or PROTECTED. They can select who has full, edit and read only access to the document, whether the document can be copied or printed, an expiry date to accessing the content, as well as change control settings to add or remove users. ^{Note that currently you can only assign a SENSITIVE or PROTECTED label in the desktop client (not web client) of Word, Excel and PowerPoint, therefore will need to use desktop client for such labelled documents. Adding this capability to web client is currently under review by Microsoft Engineers, with an anticipated timeframe of 6-9 months.}	SENSITIVE and PROTECTED have additional controls, to help protect against unauthorised access, compromise or accidental breaches: The document/email will be automatically encrypted. A header and footer added to clearly denote the content's information security classification. It restricts access to the email content to only the email addresses you have added as recipients. Recipients will not be able to forward, print or copy the email's content. ^{Note: If the recipient is not using Outlook with an Microsoft-provisioned email address, they will be directed to a secure Microsoft gateway to view the email. It is suggested that before sending a SENSITIVE or PROTECTED email to a recipient external to UQ, you first send an OFFICIAL – INTERNAL email advising them of this process.} It prevents the email contents from previewing in the recipient’s inbox (they will have to open the email to read it). If the recipient is using Outlook, they will see an icon (a lock icon or a red dot, depending on their Outlook version) next to the email preview, indicating that the content is confidential.
PROTECTED

User experience

The below table outlines the user experience for each label.

Label	Word, Excel and PowerPoint	Outlook (Email)
UNOFFICIAL	Access to this document, if shared or saved in a shared location, will not be impacted. Users will not notice any change, however if they have Office 365 Sensitivity Labels enabled they will be able to see what label has been set under the 'Sensitivity' tool.	If the recipient of the email has UQ's Office 365 Sensitivity Labels enabled: the label will display next to the email subject line. If they mouse over the label, a description of the label will appear. If the recipient of the email does not have UQ's Office 365 Sensitivity Labels enabled: they will not notice any change.
PUBLIC
OFFICIAL
SENSITIVE	The document will be automatically encrypted. A header and footer will be displayed, clearly denoting the content's Information Security Classification and handling instructions. The document owner controls viewing, editing and sharing permissions. Another user will only be able to open this document if it has been shared with them by the document owner. Whether they can only view, edit, or have full access to the document, will depend on the permissions the owner has set.	The email will be automatically encrypted. If the recipient is using Outlook, they will see an icon (a lock icon or a red dot, depending on their Outlook version) next to the email preview, indicating that the content is confidential. The content of your email will not preview in the recipient's inbox (they will have to open the email to read it). If the recipient does not use Outlook with an Microsoft-provisioned email address, they will be directed to a safe and protected gateway to view the email. ^{Note that the notification email that directs to the safe gateway does not state that this email can only be accessed by the intended recipient. If you feel it is necessary, you may like warn the recipient that they will soon be receiving a confidential email by first sending an OFFICIAL-INTERNAL email.} Within the email body, a header and footer will be displayed clearly denoting the content's Information Security Classification and handling instructions.
PROTECTED

Top of page

Frequently asked questions (FAQs)

Here are our answers to common questions about sensitivity labels: