This is how it works
The support is about helping you as a user to manage and share your work documents in a secure way. With the help of the support, you get an opportunity to apply appropriate protection to documents and work materials. The support is available for Office documents (Word, Excel, Powerpoint, PDF) and email with attachments. The extra protection can, for example, be about encrypting email or technically limiting how information can be shared and who can open or read an accompanying attachment.
There are different levels of sensitivity labels that all involve different levels of protection. The levels of sensitivity labels follow the levels of protection needs that are set when classifying information processing.
How to choose a sensitivity label
Restricted sharing (default)
All documents in Microsoft 365 initially receive the sensitivity label Restricted sharing. Information that has this label should normally only be processed within Umeå University or within a project group. The label should, for example, be set if the information contains common personal data (limited amount) or if caution applies to dissemination, sharing, publishing. The Restricted sharing label does not mean that any extra protection measures are automatically applied to your document, but it gives an indication to you as a user to consider how you share the information and with whom.
In many cases, it is appropriate that our work documents have this label. It can be work documents that you want to limit because they may contain information that is not anchored or proofread and may have sloppy formulations. It can, for example, be a draft of a protocol where the accuracy wants to be ensured first. If a work document is shared or sent outside the university, the document is counted as expedited and thus becomes a public document that can have negative unwanted consequences. Therefore, it is important to remind yourself and be aware of what is shared.
If you decide that it is the right label for the information in the document, you do not need to change anything. However, it is important to reflect on the protection value of the information you handle at each occasion, so that you can increase the protection level or lower it if necessary.
Open (to lower the protection level)
If the information in your document can be considered public, i.e. that it does not need to be protected from unauthorized persons, you change the label to Open. You can do this for information that can be openly shared with others without negative impact on our or another organization, assets or for individual individuals. The label can, for example, be changed to Open in connection with a document to be published on the university website or shared with someone outside the university. Information with the Open label may contain common personal data in limited quantities.
Confidential (to raise the protection level)
If the information instead requires a higher protection, e.g. contains privacy-sensitive personal data such as personal identity number, assessments, information on legal violations, class lists or other particularly protected information such as research documentation, protocols or similar, you should change the label to Confidential. Documents with the Confidential label can be stored in M365 or in another adapted and approved business system. For e-mail, there is encryption to choose as extra protection, which means that the message itself is encrypted. You choose who should have access to the e-mail message. If a document is sent as an attachment in the e-mail message, the attachment retains the label the document has had before, however, the attachment is encrypted as long as it remains in the e-mail message.
Choose the label that matches how the document should be handled:
- Confidential Umu: The information has a high protection value and is marked as confidential to signal and make aware of a careful handling of the document. The information should only be shared with selected persons or groups within or outside the university or with those who have a Umu identity. No extra encryption beyond what already exists in M365 takes place. We use "Umu" in the label to mark that it is a document that belongs to and originates from Umeå University.
- Confidential Umu with encryption in e-mail: The e-mail message itself is encrypted, any attached documents retain their original label but the attachment is encrypted as long as it remains in the e-mail message. Specify which groups or selected persons should have access or alternatively a Umu identity. This is a label for specific needs that is suitable when information is to be sent outside the university and where the information requires a high protection. We use "Umu" in the label to mark that it is a document that belongs to and originates from Umeå University.
Strict confidentiality (to raise the protection level further)
If the information requires a very high protection, e.g. contains secrecy or sensitive personal data such as health data or other valuable information such as procurement bids, passwords, code keys or research documents with very high protection value, you should change the label to Strictly confidential. Strictly confidential places special requirements on storage and sharing. Only use the services recommended by ITS to store and share this type of information. For example, Protected Documents and Protected Attachment.
Services linked to Microsoft 365 such as Teams, Sharepoint, OneDrive, including e-mail or similar cloud services, should NOT be used for this type of information. Information that has this label should only be shared with selected persons or groups within or outside the university and then with the help of intended recommended systems or services. For e-mail, there is a technical support that blocks attached documents with the label Strictly confidential, which means that the attachment is not sent to the recipient. Instead, Protected Attachment is recommended.
Documents that have the label Strictly confidential do not receive any encryption beyond what already exists in M365.
Choose the label that matches how the document should be handled:
- Strictly confidential: Information has a very high protection value and is marked as confidential to signal and make aware of a very careful handling of the document. Should only be stored on recommended services and only shared with selected persons or groups within or outside the university. No encryption beyond what already exists in M365 takes place. A technical support blocks e-mail and attachments with the label Strictly confidential, a reference to Protected Attachment takes place.
HOW TO USE SENSITIVITY LABELS
Instructional video showing how to use the sensitivity labels. The video is 4:40 minutes long. Turn on subtitles by clicking on CC.
Implementation at Umu starts March 20
Ssensitivity labels" has been tested during 2023 on a smaller pilot group with participants from virtually all units and institutions to ensure a smooth use of the tool. During the pilot project, various types of tests have been carried out to check how sensitivity labels work in different contexts and in different systems and cloud services used at Umeå University.
March 20 is the day for the broad introduction of "sensitivity labels" at Umeå University. In connection with the introduction at Umeå University, training is conducted for all employees with the ambition to create understanding and security when it comes to using the support in their daily work.
Why the support "sensitivity labels" is introduced
The user support "sensitivity labels" is available to facilitate for you as an employee when it comes to managing and sharing your digital work material in Microsoft 365 in the right way based on its current protection value. The support can, for example, help to prevent accidental dissemination of sensitive information.
The goal is that you should feel confident that the digital tools you use in your everyday life help you to manage and protect your information in the situations where it is needed. The sensitivity labels also facilitate the work of complying with laws and regulations regarding personal data and information security.
FAQ
Why is the standard label 'Limited sharing' set on my document?
Limited sharing is always set to give an indication to users to consider how information is shared and with whom. Caution applies when disseminating and sharing. You can raise or lower the level based on need. In many cases, it is appropriate for our work documents to have this label. Example: Administrative documents, draft minutes and notes before they have been proofread. May contain a limited amount of common personal data.
My work document is ready to be published - How do I change the label so it no longer says 'Limited sharing' in the header?
Change the label to 'Open' when your document is to be published, then the label is no longer displayed in the document's header. See how to change the label in the video on the page above.
I need to save sensitive personal data, which label should I choose?
Choose the label 'Strictly confidential'. Remember not to store the document in the Microsoft 365 platform. Use ITS recommended services e.g. Protected documents.
Can I email an attachment with the label 'Strictly confidential' containing sensitive personal data?
No, attachments with the label 'Strictly confidential' cannot be emailed. Instead, use the ITS recommended service Protected attachment.
I need to send a certificate containing privacy-sensitive personal data, can I email the attachment?
Yes, set the label 'UMU Confidential with encryption in email' on the email message, then the email message and attachment are encrypted as long as it remains in the message. The small padlock on the shield indicates that the label adds encryption.
Are my documents encrypted if they have the label 'Confidential' or 'Strictly confidential'?
No extra encryption is currently set on the documents. However, all documents saved in the Microsoft 365 platform are encrypted as long as they are stored in the platform. However, the document with the label 'Strictly confidential' should not be saved in the Microsoft 365 platform. Use ITS recommended services e.g. Protected documents.
The marking in the document is above/below other text in the header. Can it be adjusted manually?
Yes, if you click in the header so that you can edit the header, you can move the marking that comes with the labels.
If I convert or save a document as .pdf, does the sensitivity label follow?
Yes. The sensitivity label follows when you convert or save a document as a PDF.
I work a lot with .pdf files. Can I add or change the label in Acrobat?
Yes, Adobe Acrobat has built-in support for handling sensitivity labels. All Adobe versions also display the label.
Who are my documents shared with when I choose the label 'Limited sharing'?
The labels do not share documents but are currently mainly used to classify documents according to the consequence it has for Umu or another party if the information were to fall into the wrong hands.
I have no labels in Office but my colleagues do, why?
You can verify via office.com and the Office web apps if you have had the labels published to you. If you have the labels in the web apps, it is probably due to your local Office installation not meeting the version requirement. Contact ITS Servicedesk.