Sensitivity labels - a safe tool to protect your work documents

Umeå University introduces a new support that helps all employees to manage their work documents in Microsoft 365 in a secure way. The support is called “sensitivity labels” and is an opportunity to add protection and get guidance on how the document can be shared with others.

This is how it works

The support is about helping you as a user to manage and share your work documents in a secure way. With the help of the support, you get an opportunity to apply appropriate protection to documents and work materials. The support is available for Office documents (Word, Excel, Powerpoint, PDF) and email with attachments. The extra protection can, for example, be about encrypting email or technically limiting how information can be shared and who can open or read an accompanying attachment.

There are different levels of sensitivity labels that all involve different levels of protection. The levels of sensitivity labels follow the levels of protection needs that are set when classifying information processing.

 

How to choose a sensitivity label

Restricted sharing (default)

All documents in Microsoft 365 initially receive the sensitivity label Restricted sharing. Information that has this label should normally only be processed within Umeå University or within a project group. The label should, for example, be set if the information contains common personal data (limited amount) or if caution applies to dissemination, sharing, publishing. The Restricted sharing label does not mean that any extra protection measures are automatically applied to your document, but it gives an indication to you as a user to consider how you share the information and with whom.

In many cases, it is appropriate that our work documents have this label. It can be work documents that you want to limit because they may contain information that is not anchored or proofread and may have sloppy formulations. It can, for example, be a draft of a protocol where the accuracy wants to be ensured first. If a work document is shared or sent outside the university, the document is counted as expedited and thus becomes a public document that can have negative unwanted consequences. Therefore, it is important to remind yourself and be aware of what is shared.

If you decide that it is the right label for the information in the document, you do not need to change anything. However, it is important to reflect on the protection value of the information you handle at each occasion, so that you can increase the protection level or lower it if necessary.

 

Open (to lower the protection level)

If the information in your document can be considered public, i.e. that it does not need to be protected from unauthorized persons, you change the label to Open. You can do this for information that can be openly shared with others without negative impact on our or another organization, assets or for individual individuals. The label can, for example, be changed to Open in connection with a document to be published on the university website or shared with someone outside the university. Information with the Open label may contain common personal data in limited quantities.

 

Confidential (to raise the protection level)

If the information instead requires a higher protection, e.g. contains privacy-sensitive personal data such as personal identity number, assessments, information on legal violations, class lists or other particularly protected information such as research documentation, protocols or similar, you should change the label to Confidential. Documents with the Confidential label can be stored in M365 or in another adapted and approved business system. For e-mail, there is encryption to choose as extra protection, which means that the message itself is encrypted. You choose who should have access to the e-mail message. If a document is sent as an attachment in the e-mail message, the attachment retains the label the document has had before, however, the attachment is encrypted as long as it remains in the e-mail message.

Choose the label that matches how the document should be handled:

  • Confidential Umu: The information has a high protection value and is marked as confidential to signal and make aware of a careful handling of the document. The information should only be shared with selected persons or groups within or outside the university or with those who have a Umu identity. No extra encryption beyond what already exists in M365 takes place. We use "Umu" in the label to mark that it is a document that belongs to and originates from Umeå University.
  • Confidential Umu with encryption in e-mail: The e-mail message itself is encrypted, any attached documents retain their original label but the attachment is encrypted as long as it remains in the e-mail message. Specify which groups or selected persons should have access or alternatively a Umu identity. This is a label for specific needs that is suitable when information is to be sent outside the university and where the information requires a high protection. We use "Umu" in the label to mark that it is a document that belongs to and originates from Umeå University.

 

Strict confidentiality (to raise the protection level further)

If the information requires a very high protection, e.g. contains secrecy or sensitive personal data such as health data or other valuable information such as procurement bids, passwords, code keys or research documents with very high protection value, you should change the label to Strictly confidential. Strictly confidential places special requirements on storage and sharing. Only use the services recommended by ITS to store and share this type of information. For example, Protected Documents and Protected Attachment.

Services linked to Microsoft 365 such as Teams, Sharepoint, OneDrive, including e-mail or similar cloud services, should NOT be used for this type of information. Information that has this label should only be shared with selected persons or groups within or outside the university and then with the help of intended recommended systems or services. For e-mail, there is a technical support that blocks attached documents with the label Strictly confidential, which means that the attachment is not sent to the recipient. Instead, Protected Attachment is recommended.

Documents that have the label Strictly confidential do not receive any encryption beyond what already exists in M365.

Choose the label that matches how the document should be handled:

  • Strictly confidential: Information has a very high protection value and is marked as confidential to signal and make aware of a very careful handling of the document. Should only be stored on recommended services and only shared with selected persons or groups within or outside the university. No encryption beyond what already exists in M365 takes place. A technical support blocks e-mail and attachments with the label Strictly confidential, a reference to Protected Attachment takes place.

Implementation at Umu starts March 20 

Ssensitivity labels" has been tested during 2023 on a smaller pilot group with participants from virtually all units and institutions to ensure a smooth use of the tool. During the pilot project, various types of tests have been carried out to check how sensitivity labels work in different contexts and in different systems and cloud services used at Umeå University.

March 20 is the day for the broad introduction of "sensitivity labels" at Umeå University. In connection with the introduction at Umeå University, training is conducted for all employees with the ambition to create understanding and security when it comes to using the support in their daily work.

Why the support "sensitivity labels" is introduced

The user support "sensitivity labels" is available to facilitate for you as an employee when it comes to managing and sharing your digital work material in Microsoft 365 in the right way based on its current protection value. The support can, for example, help to prevent accidental dissemination of sensitive information.

The goal is that you should feel confident that the digital tools you use in your everyday life help you to manage and protect your information in the situations where it is needed. The sensitivity labels also facilitate the work of complying with laws and regulations regarding personal data and information security.

Want to know more, you can contact ITS


ingegerd.stenlund@umu.se

johan.carlsson@umu.se

Sofia Westerlund
2/19/2024