Office 365 Sensitivity Labels are persistent labels assigned to an O365 document or email, that indicate its information security classification.

Additional controls to protect the information (e.g. encryption, restriction on access/sharing) are also applied to some labels. This helps protect information and enables better clarity over the confidentiality of documents.

Why are we using Office 365 Sensitivity Labels at UQ?

Data security is an ongoing concern at both UQ and other institutions around the world, particularly as threats of phishing and other scams and hacking attempts become more complex. As UQ staff handle confidential information in a variety of respects - including personal information regarding students, and research data - it is vital we continually work to prevent this, protecting the confidentiality of the information and the integrity of the University. This is something that Office 365 Sensitivity Labels can help achieve. 

Top of page

How to use Office 365 Sensitivity Labels

Assigning a label  

Once Office 365 Sensitivity Labels are enabled for you, every time you create an Office 365 document or email, a label will be applied. 

At UQ, the default information security classification is OFFICIAL - INTERNAL. Therefore, this label will be applied by default. If this is incorrect for the information you are dealing with, you will need to assign a label. 

What labels are there?  

Label When to use Examples
UNOFFICIAL Use this for information, files and emails that are non-work related. 
  • Emailing your partner about dinner plans 

  • A document outlining your holiday itinerary 

OFFICIAL - PUBLIC Use if the information is authorised for public access. 
*Note that this information does not necessarily have to be made available in the public domain. 
  • Broad email correspondence appropriate for the wider public 

  • PowerPoint intended for public presentation 

  • Official documents appropriate for public view 

OFFICIAL - INTERNAL Use this for information that would be unlikely to cause harm to UQ, another organisation or an individual if released publicly.  
  • Internal email correspondence 

  • Administrative documents 

SENSITIVE

Use this for information that if breached owing to accidental or malicious activity could reasonably be expected to cause harm to UQ, another organisation or an individual if released publicly. 

Access should be authorised based on strict academic, research or business need. 

  • unpublished research data 
  • personal identifiable information (e.g. human resources data and tax file number) 

  • student and staff records 

PROTECTED

Use this for information that if breached owing to accidental or malicious activity could reasonably be expected to cause serious harm to UQ, another organisation or an individual if released publicly. 

Access should be authorised based on very strict academic, research or business need. 

  • Confidential legal documents or emails 

  • Medical records 

  • Work cover forms 

You can also use the 'Which Information Security Classification should you apply?' decision tree to help determine what label is appropriate. 

How to assign a label

Once Office 365 Sensitivity Labels are enabled for you, you should see a 'Sensitivity' tool in the top ribbon of Word, Excel, PowerPoint and Outlook. 

Sensitivity tool in word
The OFFICIAL - INTERNAL label will be applied to any new documents or email by default. If this label is incorrect, select the correct label from the Sensitivity tool's drop down menu. 

 

Top of page

What does each label do?

The below table outlines what each label does when you apply it to a document or email in Outlook.  

Label Word, Excel and PowerPoint Outlook (Email)
UNOFFICIAL

These labels simply add a persistent metadata label to the document. 

This helps to increase data literacy and awareness, and should prompt users to become more conscious in their decision making when storing and sharing emails and files. 

These labels simply add a persistent metadata label to the email. 

This helps to increase data literacy and awareness, and should prompt users to become more conscious in their decision making when storing and sharing emails and files. 

OFFICIAL - PUBLIC
OFFICIAL - INTERNAL
SENSITIVE

SENSITIVE and PROTECTED have additional controls, to help protect against unauthorised access, compromise or accidental breaches: 

  • The document/email will be automatically encrypted. 

  • A header and footer added to clearly denote the content's Information Security Classification.  

  • The document owner controls viewing, editing and sharing permissions.  The owner will be prompted to assign permissions as soon as they label the document as SENSITIVE or PROTECTED. 
    They can select who has full, edit and read only access to the document, whether the document can be copied or printed, an expiry date to accessing the content, as well as change control settings to add or remove users. 

  • Note that currently you can only assign a SENSITIVE or PROTECTED label in the desktop client (not web client) of Word, Excel and PowerPoint, therefore will need to use desktop client for such labelled documents. Adding this capability to web client is currently under review by Microsoft Engineers, with an anticipated timeframe of 6-9 months. 

SENSITIVE and PROTECTED have additional controls, to help protect against unauthorised access, compromise or accidental breaches: 

  • The document/email will be automatically encrypted. 

  • A header and footer added to clearly denote the content's Information Security Classification.  

  • It restricts access to the email content to only the email addresses you have added as recipients.  Recipients will not be able to forward, print or copy the email's content. 

  • Note: If the recipient does not have a UQ provisioned email address, they will be directed to a secure Microsoft gateway to view the email. It is suggested that before sending a SENSITIVE or PROTECTED email to a recipient external to UQ, you first send an OFFICIAL – INTERNAL email advising them of this process.  

  • It prevents the email contents from previewing in the recipient’s inbox (they will have to open the email to read it). If the recipient is using Outlook, they will see an icon (a lock icon or a red dot, depending on their Outlook version) next to the email preview, indicating that the content is confidential.  

PROTECTED

User experience 

The below table outlines the user experience for each label. 

Label Word, Excel and PowerPoint Outlook (Email)
UNOFFICIAL

Access to this document, if shared or saved in a shared location, will not be impacted. Users will not notice any change, however if they have Office 365 Sensitivity Labels enabled they will be able to see what label has been set under the 'Sensitivity' tool. 

If the recipient of the email has Office 365 Sensitivity Labels enabled: the label will display next to the email subject line. If they mouse over the label, a description of the label will appear. 

If the recipient of the email does not have Office 365 Sensitivity Labels enabled: they will not notice any change.  

OFFICIAL - PUBLIC
OFFICIAL - INTERNAL
SENSITIVE

The document will be automatically encrypted. 

A header and footer will be displayed, clearly denoting the content's Information Security Classification and handling instructions. 

The document owner controls viewing, editing and sharing permissions. 

Another user will only be able to open this document if it has been shared with them by the document owner. Whether they can only view, edit, or have full access to the document, will depend on the permissions the owner has set. 

The email will be automatically encrypted. 

If the recipient is using Outlook, they will see an icon (a lock icon or a red dot, depending on their Outlook version) next to the email preview, indicating that the content is confidential.  

The content of your email will not preview in the recipient's inbox (they will have to open the email to read it).  

If the recipient does not have a UQ provisioned email address, they will be directed to a safe and protected gateway to view the email. 

  • Note that the notification email that directs to the safe gateway does not state that this email can only be accessed by the intended recipient. If you feel it is necessary, you may like warn the recipient that they will soon be receiving a confidential email by first sending an OFFICIAL-INTERNAL email. 

Within the email body, a header and footer will be displayed clearly denoting the content's Information Security Classification and handling instructions. 

PROTECTED

 

Top of page