Warning: Applying a sensitivity label does not automatically grant access to anyone. It only limits how the content can be shared based on the label’s recipient restrictions.
Warning: All documents and emails default to the UND-Public label. Users must select UND-Private or UND-Restricted if higher protection is needed.
Introduction
Sensitivity labels in Microsoft 365 help classify and protect data according to its level of confidentiality. At UND, these labels align with NDUS Policy 1203.7, ensuring that institutional and legal requirements for data handling are met.
Table of Contents
What Are Microsoft 365 Sensitivity Labels?
Microsoft 365 Sensitivity Labels allow users to classify and apply protection policies, such as encryption and access control, based on how sensitive the data is. These protections travel with the data, whether it's in an email, Word document, or Excel spreadsheet.
Key Benefits
- Compliance Assistance: Labels help identify and secure data governed by regulations like FERPA, HIPAA, or contractual obligations.
- Enhanced Security: Labels can enforce encryption and block actions like forwarding or copying.
- Persistent Protection: The applied label stays with the file/email no matter where it's stored or shared.
- User Flexibility: Labels can be easily selected in Outlook, Word, Excel, PowerPoint, and the Outlook Web App (OWA).
At UND, all documents and emails default to the UND-Public label. Users must select UND-Private or UND-Restricted if higher protection is needed.
Label Overview and Guidance
| Label |
Use When... |
Protections Applied |
Recipient Restrictions |
UND-Public |
Sharing general information that is not confidential.
|
No encryption, no restrictions.
|
None — can be shared with anyone, including the public. |
UND-Private |
Handling internal or moderately sensitive data.
|
Email encryption, "Private" header. Sharing can be limited.
|
Configurable:
• All NDUS
• UND Campus only
• Specific individuals/teams |
UND-Restricted  |
Sharing highly confidential, regulated, or legally protected data.
|
Email encryption, forwarding blocked, copying blocked, "Restricted" header, watermark. Sharing can be limited.
|
Configurable:
• All NDUS
• UND Campus only
• Specific individuals/teams |
Recipient Restrictions (does not automatically share access)
- All NDUS: Anyone with an account across any NDUS institution can access.
- UND Campus: Limited to users with @UND.edu email addresses.
- Specific Individuals/Teams: Manually defined when applying the label.
Can Do vs Cannot Do
|
UND Sensitivity Label
|
What the Label Can Do
|
What the Label Cannot Do / Common Misconceptions
|
|
UND‑Public
|
• Intended for public or open sharing
• No encryption and no access restrictions
• Allows sharing with anyone, including external recipients
|
• Does not automatically make information public or accessible to others
• Does not override existing file or mailbox permissions
• Does not provide protection if sensitive data is mistakenly included
|
|
UND‑Private
|
• Encrypts email and supported files
• Adds a “Private” visual indicator
• Allows the sender to limit access to:
– All NDUS users
– UND‑only users
– Specific individuals or groups
• Protection travels with the data
• Granular access controls for documents
|
• Does not automatically grant access to recipients
• Does not inherently block forwarding, printing, or copying (unless configured elsewhere)
• Does not replace the need to send data only to authorized individuals
|
|
UND‑Restricted
|
• Encrypts email and supported files
• Applies strict access controls
• Blocks forwarding, printing, and copying of email contents
• Adds “Restricted” visual indicators and watermarking in documents
• Intended for high‑risk, legally protected data
|
• Does not allow unrestricted collaboration
• Does not prevent all forms of misuse (e.g., screenshots or handwritten notes)
• Does not auto‑detect all sensitive data—user classification is still required
|
How They Work
|
Recipient Option
|
What This Means
|
When You Would Use It
|
|
All NDUS
|
Allows anyone with an NDUS account (across all NDUS institutions) to open the email or document. Access is still restricted to authenticated NDUS users.
|
Sharing protected information that is appropriate for cross‑campus or system‑wide collaboration.
|
|
UND Campus Only
|
Limits access so only UND community members can open the content. Users from other NDUS institutions or external organizations cannot access it.
|
Sharing internal UND information that should not be accessible outside the UND campus.
|
|
Specific People or Teams
|
Restricts access to only the named individuals or Microsoft 365 groups selected by the sender. No one else can open the content.
|
Sending high‑sensitivity or need‑to‑know information, such as HR, FERPA‑protected, legal, or security‑related data.
|
Label Details with Data Examples
UND-Public
Use for data that can be disclosed without harm or legal restriction.
Examples from Policy 1203.7:
- Not Withheld Student Directory Information (name, address, email address, etc. For further questions, contact the Registrar's Office)
- Job titles and descriptions
- Employee education and work experience
- Budget summaries, payroll time sheets (non-FERPA), invoice and PO details
- Meeting agendas and minutes
Protections:
- No encryption or access restrictions
- Automatically applied by default
UND-Private
Use for sensitive internal information that, if improperly shared, may lead to moderate risk.
Examples from Policy 1203.7:
- Student education records (grades, test scores, financial aid, advising)
- Withheld Student Directory Information (name, address, email address, etc. For further questions, contact the Registrar's Office)
- Passport numbers
- Student or employee ID numbers
- Risk/security assessments
- Legal investigations and privileged attorney-client communications
- Birth date, gender, ethnicity, or citizenship
- Private infrastructure plans or IP/trade secrets
Protections:
- Email encryption
- "Private" header
Restrictions by recipient type:
- All NDUS
- UND Campus only
- Specific People or Teams
UND-Restricted
Use for high-risk or legally/contractually protected information. This data must be protected against unauthorized disclosure at all times.
Examples from Policy 1203.7:
- Name + Social Security Number or Driver’s License
- Financial account data, debit/credit card details
- Protected Health Information (PHI)
- Export Controlled Data (ITAR/EAR)
- Passwords to systems containing restricted data
- Private encryption keys
Protections:
- Email encryption
- Forwarding is blocked
- Copying is blocked
- “Restricted” header
- Watermark applied to documents
Restrictions by recipient type:
- All NDUS
- UND Campus only
- Specific People or Teams
Best Practices for Label Use
- Review sensitivity labels before sharing emails or files, especially if they contain any protected elements.
- Avoid relying on the default (Public) for documents that contain identifiable, sensitive, or regulated information.
- Match your label to the data classification — if in doubt, refer to the Common Data Elements table or contact the NDUS Office of Information Security.
More Information
Virginia Tech - Understanding Microsoft 365 Sensitivity Labels
Microsoft - Apply sensitivity labels to your files