Understanding Sensitivity Labels

 

Understanding Sensitivity Labels

Sensitivity labels in Microsoft 365 help classify and protect data according to its level of confidentiality. At UND, these labels align with NDUS Policy 1203.7, ensuring that institutional and legal requirements for data handling are met.

For specific classification examples, refer to 1203.7 Classification of Common Data Elements.

Table of Contents

What Are Microsoft 365 Sensitivity Labels?

Microsoft 365 Sensitivity Labels allow users to classify and apply protection policies, such as encryption and access control, based on how sensitive the data is. These protections travel with the data, whether it's in an email, Word document, or Excel spreadsheet.

Key Benefits

  • Compliance Assistance: Labels help identify and secure data governed by regulations like FERPA, HIPAA, or contractual obligations.
  • Enhanced Security: Labels can enforce encryption and block actions like forwarding or copying.
  • Persistent Protection: The applied label stays with the file/email no matter where it's stored or shared.
  • User Flexibility: Labels can be easily selected in Outlook, Word, Excel, PowerPoint, and the Outlook Web App (OWA).
At UND, all documents and emails default to the UND-Public label. Users must select UND-Private or UND-Restricted if higher protection is needed.

Label Overview and Guidance

Label Use When... Protections Applied Recipient Restrictions
UND-Public

Sharing general information that is not confidential.

No encryption, no restrictions.

 None — can be shared with anyone, including the public.
UND-Private

Handling internal or moderately sensitive data.

Email encryption, "Private" header. Sharing can be limited.

 Configurable:
• All NDUS
• UND Campus only
• Specific individuals/teams
UND-Restricted

Sharing highly confidential, regulated, or legally protected data.

Email encryption, forwarding/copying blocked, "Restricted" header, watermark. Sharing can be limited.

 Configurable:
• All NDUS
• UND Campus only
• Specific individuals/teams

Recipient Restrictions (does not automatically share access)

  • All NDUS: Anyone with an account across any NDUS institution can access.
  • UND Campus: Limited to users with @UND.edu email addresses.
  • Specific Individuals/Teams: Manually defined when applying the label.
Warning: Applying a sensitivity label does not automatically grant access to anyone. It only limits how the content can be shared based on the label’s recipient restrictions.
Warning: All documents and emails default to the UND-Public label. Users must select UND-Private or UND-Restricted if higher protection is needed.

Label Details with Data Examples

UND-Public

Use for data that can be disclosed without harm or legal restriction.

Examples from Policy 1203.7:

  • Not Withheld Student Directory Information (name, address, email address, etc. For further questions, contact the Registrar's Office)
  • Job titles and descriptions
  • Employee education and work experience
  • Budget summaries, payroll time sheets (non-FERPA), invoice and PO details
  • Meeting agendas and minutes

Protections:

  • No encryption or access restrictions
  • Automatically applied by default

UND-Private

Use for sensitive internal information that, if improperly shared, may lead to moderate risk.

Examples from Policy 1203.7:

  • Student education records (grades, test scores, financial aid, advising)
  • Withheld Student Directory Information (name, address, email address, etc. For further questions, contact the Registrar's Office)
  • Passport numbers
  • Student or employee ID numbers
  • Risk/security assessments
  • Legal investigations and privileged attorney-client communications
  • Birth date, gender, ethnicity, or citizenship
  • Private infrastructure plans or IP/trade secrets

Protections:

  • Email encryption
  • "Private" header

Restrictions by recipient type:

  • All NDUS
  • UND Campus only
  • Specific People or Teams

UND-Restricted

Use for high-risk or legally/contractually protected information. This data must be protected against unauthorized disclosure at all times.

Examples from Policy 1203.7:

  • Name + Social Security Number or Driver’s License
  • Financial account data, debit/credit card details
  • Protected Health Information (PHI)
  • Export Controlled Data (ITAR/EAR)
  • Passwords to systems containing restricted data
  • Private encryption keys

Protections:

  • Email encryption
  • Forwarding and copying are blocked
  • “Restricted” header
  • Watermark applied to documents

Restrictions by recipient type:

  • All NDUS
  • UND Campus only
  • Specific People or Teams

How to Apply Sensitivity Labels

In Outlook (Email)

  1. Open your message in Microsoft Outlook.
  2. Select Sensitivity when composing an email on the Message tab or locate the Shield icon in the new window (green by default, indicating UND-Public)
  3. Choose the sensitivity label that applies to your email:
  • UND-Private → Applies encryption and “Private” label
  • UND-Restricted → Encrypts, blocks forwarding/copying, and applies “Restricted” label

In Office Files (Word, Excel, PowerPoint)

  1. Open your document in Word, Excel, or PowerPoint.
  2. On the Home tab, select Sensitivity or locate the Shield icon beside the document title (green by default, indicating UND-Public).
  3. Choose the sensitivity label that applies to your file:
  • UND-Private
  • UND-Restricted

How to Protect Files with Purview Info Protection (PIP)

In order to classify a document within Windows Explorer through the right-click context menu, Windows requires the PIP Client to be installed separately from Office products.

To Install the PIP Client

  1. Go to the Microsoft Purview Information Protection page.
  2. Click Download.
  3. Choose one of the installation file options with .exe in the name.
  4. Click Next.
  5. Once the installation file is downloaded, launch the installation file and follow the prompts on the screen to install the client.

Please visit the Extend Sensitivity Labeling on Windows page and scroll down to the Supported file types section to understand which file formats work with PIP protections applied. You can apply the protection through labeling directly to an individual file or to all files in a folder.

To Apply a Label to a File

  1. Locate the file within your operating system.
  2. Right-click the file and click Show more options then Apply sensitivity label with Microsoft Purview from the drop-down.
  3. Click the appropriate label.
  4. Click Apply.
  5. Click Close.

To Apply a Label to All Applicable Files in a Folder

  1. Locate the folder within your operating system.
  2. Right-click the file and click Show more options then Apply sensitivity label with Microsoft Purview from the drop-down.
  3. Click the appropriate label.
  4. Click Apply.
  5. Click Show results to ensure the results are as expected.
  6. Click Close.

To Change a Label

  1. Locate the file or folder within your operating system.
  2. Right-click the file and click Show more options then Apply sensitivity label with Microsoft Purview from the drop-down.
  3. Click the appropriate label.
  4. Click Apply.
  5. A window may then appear. In that window, choose the appropriate reason for why you are removing the label. Type any extra information into the text box as appropriate.
  6. Click Confirm.
  7. Click Close.

Best Practices for Label Use

  • Review sensitivity labels before sharing emails or files, especially if they contain any protected elements.
  • Avoid relying on the default (Public) for documents that contain identifiable, sensitive, or regulated information.
  • Match your label to the data classification — if in doubt, refer to the Common Data Elements table or contact the NDUS Office of Information Security.

Frequently Asked Questions

How Do I Open a File or Email That Is Protected with PIP?

The method and experience for opening a file will vary depending on several factors:

  • File format - You may be required to download specific applications to open non-Microsoft file formats. For example, to open a PDF, you may be required to download Adobe Acrobat Reader.
  • UND Recipient - You will be required to authenticate with your username and passphrase.
  • External Recipient - You may be required to authenticate with your username and passphrase or enter a one-time passcode.

What Do the Sensitivity Labels Mean in SharePoint and Teams?

When a sensitivity label is applied to a SharePoint site or Team, it is for descriptive purposes only. It does not apply any data protection. 

To apply a label to an existing team:

  1. Click the ellipsis (three dots) next to the team's name.
  2. Click Edit Team.
  3. Select the appropriate sensitivity label under Sensitivity.

More Information

Virginia Tech - Understanding Microsoft 365 Sensitivity Labels

Microsoft - Apply sensitivity labels to your files

 

Was this helpful?
0 reviews
Print Article