1. Home
  2. Guidance
  3. Office 365
  4. Sensitivity Labels Guidance
  5. NHSmail Data Sensitivity Label Global Policy

NHSmail Data Sensitivity Label Global Policy

Important Note:

Deployment of the NHSmail Global Sensitivity Labels is an opt-in process which is to be requested by an organisation’s Local Administrator based on their Security and Information Governance strategy and readiness. Please refer to article Sensitivity Labels Scope and Requirements for further information on requirements and how to raise a Service Request.

Important Note:

The NHSmail Data Sensitivity Label Global Policy has been designed using the NHSx Records Management Code of Practice as a central guidance where considerations have been taken to balance Information Governance terminology with the expected variety of use cases across the NHSmail shared tenant. Please see the section Naming Convention and Design Decisions for more information.

Important Note:

The use of sensitivity labels is non-mandatory and requires manual application from the user. Please note that data will not be automatically labelled.

Important Note:

Throughout this documentation, internal sharing/access refers to those using nhs.net accounts, external sharing/access refers to any other domains. Please ensure that you are familiar with the Known Limitations as well as the Recommendations regarding the use of sensitivity labels.

Policy Details

To better understand the NHSmail Data Sensitivity Label Global Policy, please ensure that you are also familiar with the key definitions outlined in the Sensitivity Labels Overview documentation.

The four parent sensitivity labels deployed as part of the NHSmail Data Sensitivity Label Global Policy are (from least to most restrictive):

  • General
  • Corporate
  • Official
  • Official Sensitive

The parent sensitivity labels ‘Corporate’, ‘Official’ and ‘Official Sensitive’ each have additional sub-labels. More details on each parent label and their sub-labels are outlined below, including descriptions and the configuration set for content-marking, access, and permissions.

Furthermore, the NHSmail Data Sensitivity Label Global Policy has been configured so that:

  • End users are required to provide a justification to remove a label or lower its classification (except in Power BI – please see the page Known Limitations)
  • End users will not be required to apply a label to their emails and documents, nor their Power BI contents
  • End users will be provided with a link to this section upon interacting with the sensitivity labels
  • Contents will not be labelled by default

The table below provides a high-level view of the sensitivity labels structure (left-to-right and top-to-bottom read as least to most restrictive):

NHSmail Parent Sensitivity Labels
General Corporate Official Official Sensitive
NHSmail Sub-labels N/A Recipients Have Full Control Recipients Have Full Control Recipients Have Full Control
N/A Internal Use Editable Internal Use Editable Internal Use Editable
N/A Internal Use Read Only Internal Use Read Only Internal Use Read Only

Sensitivity Labels Details

The tables below summarise the key configurations of each parent and sub-label within the NHSmail Data Sensitivity Label Global Policy.

Important Note:

The use of sensitivity labels is non-mandatory and requires manual application from the end user. Please note that data will not be automatically labelled.

General

Configuration Details
Category Parent
Name General
Description This label does not apply any protection and is for labelling purposes only. It should be used to mark documents and emails that are not business records or sensitive.
Files and emails
Label can be applied on files and emails Yes
Encrypts the files and emails No
Marks the content of files Yes – Header marking
Header text *** General – No Additional Protection ***
Font size 12
Font colour Black
Text layout Central
Groups and sites
Label can be applied on groups and sites Yes
Privacy setting Private
Lets Microsoft 365 Group owners add people outside your organisation (tenant) to the group as guests Yes – Group owners must have Guest Inviter role
Control external sharing from labelled SharePoint sites. Content can be shared with: New and existing guests

Corporate

Configuration Details
Category Parent
Name Corporate
Description For information related to business processes, examples include Finance and Communications.
Files and emails
Label can be applied on files and emails Via sub-labels
Groups and sites
Label can be applied on groups and sites Yes
Privacy setting Private
Lets Microsoft 365 Group owners add people outside your organisation (tenant) to the group as guests Yes – Group owners must have Guest Inviter role
Control external sharing from labelled SharePoint sites. Content can be shared with: New and existing guests

Corporate Sub-labels

Configuration Details
Category Corporate sub-labels
Name Recipients Have Full Control Internal Use Editable Internal Use Read Only
Description Business records that do not contain personal identifiable or business sensitive data. Recipients have full control. Business records that do not contain personal identifiable or business sensitive data. All nhs.net users can edit, copy, print, view and save content. All other external parties will not have access to the content. Please note printing is currently not supported via web browser. Business records that do not contain personal identifiable or business sensitive data. NHSmail users can only view content. Copy, print, save, edit functionalities will not be allowed. All other external parties will not have access to the content.
Files and emails
Label can be applied on files and emails Yes Yes Yes
Encrypts the files and emails No Yes Yes
Marks the content of files Yes – Header marking
Header text *** Corporate – Recipients Have Full Control *** *** Corporate – Internal Use Editable *** *** Corporate – Internal Use Read Only ***
Font size 12
Font colour Black
Text layout Central
Remove encryption if the file or email is encrypted N/A No No
Assign permissions now or let users decide? (Assign permissions now/Let users assign when they apply the label) N/A Assign permissions now Assign permissions now
User access to content expires N/A Never*

aligns with the tenant setting of 30 days

Never*

aligns with the tenant setting of 30 days

Allow offline access N/A Always Always
Assign permissions to N/A Add all users and groups in your organisation (tenant) Add all users and groups in your organisation (tenant)
Permission level N/A Co-Author Viewer
Groups and sites
Label can be applied on groups and sites Yes – Inherits from parent label Corporate

Official

Configuration Details
Category Parent
Name Official
Description For items which contain personal identifiable or business sensitive data. Commercial- or market-sensitive information, including that subject to statutory or regulatory obligations, that may be damaging to HMG or to a commercial partner if improperly accessed.
Files and emails
Label can be applied on files and emails Via sub-labels
Groups and sites
Label can be applied on groups and sites Yes
Privacy setting Private
Lets Microsoft 365 Group owners add people outside your organisation (tenant) to the group as guests Yes – Group owners must have Guest Inviter role
Control external sharing from labelled SharePoint sites. Content can be shared with: New and existing guests

Official Sub-labels

Configuration Details
Category Official sub-labels
Name Recipients Have Full Control Internal Use Editable Internal Use Read Only
Description Items which contain personal identifiable or business sensitive (commercial) data. Recipients have full control. Items which contain personal identifiable or business sensitive (commercial) data. All nhs.net users can edit, copy, print, view and save content. All other external parties will not have access to the content. Please note printing is currently not supported via web browser. Items which contain personal identifiable or business sensitive (commercial) data. NHSmail users can only view content. Copy, print, save, edit functionalities will not be allowed. All other external parties will not have access to the content.
Files and emails
Label can be applied on files and emails Yes Yes Yes
Encrypts the files and emails No Yes Yes
Marks the content of files Yes – Header marking
Header text *** Official – Recipients Have Full Control *** *** Official – Internal Use Editable *** *** Official – Internal Use Read Only ***
Font size 12
Font colour Black
Text layout Central
Remove encryption if the file or email is encrypted N/A No No
Assign permissions now or let users decide? (Assign permissions now/Let users assign when they apply the label) N/A Assign permissions now Assign permissions now
User access to content expires N/A Never*

aligns with the tenant setting of 30 days

Never*

aligns with the tenant setting of 30 days

Allow offline access N/A Always Always
Assign permissions to N/A Add all users and groups in your organisation (tenant) Add all users and groups in your organisation (tenant)
Permission level N/A Co-Author Viewer
Groups and sites
Label can be applied on groups and sites Inherits from parent label Official

Official Sensitive

Configuration Details
Category Parent
Name Official Sensitive
Description Sensitive company, client or customer personal data that can only be shared with a specific business need. Applies to data regulated by privacy laws including personnel financial information, and technical infrastructure documentation.
Files and emails
Label can be applied on files and emails Via sub-labels
Groups and sites
Label can be applied on groups and sites Yes
Privacy setting Private
Lets Microsoft 365 Group owners add people outside your organisation (tenant) to the group as guests No – even if the group owners have the Guest Inviter role
Control external sharing from labelled SharePoint sites. Content can be shared with: New and existing guests

Official Sensitive Sub-labels

Configuration Details
Category Official Sensitive sub-labels
Name Recipients Have Full Control Internal Use Editable Internal Use Read Only
Description Items which contain sensitive personal identifiable or highly confidential business sensitive data. Content is encrypted but recipients have full control. Items which contain sensitive personal identifiable or highly confidential business sensitive data. All nhs.net users can edit, copy, print, view and save content. All other external parties will not have access to the content.

Please note printing is currently not supported via web browser.

Items which contain sensitive personal identifiable or highly confidential business sensitive data. NHSmail users can only view content. Copy, print, save, edit functionalities will not be allowed. All other external parties will not have access to the content.
Files and emails
Label can be applied on files and emails Yes Yes Yes
Encrypts the files and emails Yes Yes Yes
Marks the content of files Yes – Header marking
Header text *** Official Sensitive – Recipients Have Full Control *** *** Official Sensitive – Internal Use Editable *** *** Official Sensitive – Internal Use Read Only ***
Font size 12
Font colour Black
Text layout Central
Remove encryption if the file or email is encrypted No No No
Assign permissions now or let users decide? (Assign permissions now/Let users assign when they apply the label) Assign permissions now Assign permissions now Assign permissions now
User access to content expires Never*

aligns with the tenant setting of 30 days

Never*

aligns with the tenant setting of 30 days

Never*

aligns with the tenant setting of 30 days

Allow offline access 7 days 7 days 7 days
Assign permissions to Add all users and groups in your organisation (tenant)

Add any authenticated users

Add all users and groups in your organisation (tenant) Add all users and groups in your organisation (tenant)
Permission level Co-owner Co-Author Viewer
Groups and sites
Label can be applied on groups and sites Inherits from parent label Official Sensitive
Important Note:

When using/applying sensitivity labels on web applications (Word, Excel and PowerPoint), the header text will not be clearly visible in the document header. However, the file will still be labelled. Please see the Applying Sensitivity Labels – Files and Emails guidance for more information.

Example Use Cases

Consider the following example for the expected behaviour when end users use sensitivity labels on their emails. Please note that in addition to the below, other actions considered as part of the sensitivity label permission level may apply. Key permission levels definitions are outlined in the Sensitivity Labels Overview, and the permission level assigned to each label can be viewed in the Sensitivity Labels Details section.

Label Name Email can be read by the internal recipient
(@nhs.net)
Email can be read by the external recipient
(in the allow list)
Email can be read by the external recipient
(not in the allow list)
General Yes Yes Yes
Corporate
/Recipients Have Full Control
Yes Yes Yes
Corporate
/Internal Use Editable
Yes No No
Corporate
/Internal Use Read Only
Yes No No
Official
/Recipients Have Full Control
Yes Yes Yes
Official
/Internal Use Editable
Yes No No
Official
/Internal Use Read Only
Yes No No
Official Sensitive
/Recipients Have Full Control
Yes Yes Yes
Official Sensitive
/Internal Use Editable
Yes No No
Official Sensitive
/Internal Use Read Only
Yes No No

Naming Convention and Design Decisions

Please note, when designing the sensitivity labels deployed via the NHSmail Data Sensitivity Label Global Policy, including the naming convention chosen for these labels, several factors were considered:

  • Differing knowledge across userbase (Healthcare workers, IT, Security and Information Governance professionals)
  • Differing use cases across the entire Health and Social Care sector in England
  • Common NHS phrases (Confidential, PID, SAR, FOI, Sensitive PID)

As per the government guidance, the NHSx records management code of practice and the Government Security Classifications were factored in as the primary label naming suggestions. However, the NHS documentation does not fit the description of the two highest classifications:

Label Summary Assessment
Secret Threat of loss to life Deemed not applicable to NHS setting
Top Secret Disclosure results in national security being compromised and widespread loss of life Deemed not applicable to NHS setting

Furthermore, Microsoft’s sensitivity labels functionality does not provide the necessary capabilities to label documents ‘LOCSEN’ (sensitive information that locally engaged staff overseas cannot access) as per the Government Security Classification. Therefore, this was excluded from the naming convention.

All sensitivity labels deployed are accompanied by descriptions that help end users to identify personal or commercial labels. Thus, the Government Security Classifications were incorporated as part of a hybrid approach.

The sub-labels incorporate standard Microsoft functionalities and permissions (for example: read-only, editable, and others) to ensure that the functionalities of the sensitivity labels are clear to end users rather than promoting end users to inadvertently select a sensitivity label that is unintentionally restrictive.

Recommendations

Below are some recommended practices when using sensitivity labels. Other examples can be found in the Microsoft documentation – Learn about sensitivity labels.

Title Description
Known Limitations Please refer to the Sensitivity Labels Overview – Known Limitations documentation for more information on expected behaviours when applying sensitivity labels.
External Collaboration The sensitivity labels deployed via the NHSmail Data Sensitivity Label Global Policy protect data from external live access by design. Please note that this excludes guests already included in the allow list.

If you are collaborating with external parties who are not part of the allow list, please note that they will not be able to view live labelled content and or be added to groups and sites. For emails, Egress should be used instead of sensitivity labels. Therefore, it is recommended you take this information into consideration before labelling content (including emails) intended to be shared with externally.

Visit Guest Access for more information about external guests.

Interaction with Egress Labelled documents attached to emails will be sent to the recipient as a copy (instead of a live version) if Egress is applied.

Please consider the below approach when sharing labelled documents:

If the recipient has access to the Teams/SharePoint site hosting the document:

  • It is recommended to share the labelled document using a hyperlink instead of an attachment

If the recipient does not have access to the Teams/SharePoint site hosting the document:

  • You may proceed to send the document as an attached copy. However, please note that changes made by the recipient will not reflect in your version of the document and vice-versa. Additionally, please consider the recommendations outlined in this table on External Collaboration if you are sharing a labelled document with an external party who is not included in the allowed list

Visit Encryption and Email Security for more information about Egress.

Internal Use Editable – Office Web Application Documents labelled with “Internal Use Editable” (sub-label to Corporate, Official or Official Sensitive) cannot be printed using the Office Web Application version of Word, Excel and Power Point.

However, a copy of the document can be downloaded from Teams/SharePoint for printing.

If you have O365 desktop applications:

  • Find the document in your Downloads folder and proceed to open and print the document

If you do not have O365 desktop applications:

  • Find the document in your Downloads folder, right-click on the document and select “Print”.
Relationship Levels Labelled documents stored within a group/site (i.e.: Teams/SharePoint) cannot be more restrictive than the group/site itself.

When labelling documents, please first consider the label applied to the group/site (if any). If you require your document to have higher restrictions, please reach out to the Teams/SharePoint site owner to request for the group/site label to either be removed or increased in restriction.

Syncing OneDrive Sensitivity label issues with the message ‘Azure Information Protection cannot apply this label’ can arise if the end user’s OneDrive is not synced to their local device.

To troubleshoot, refresh and login again to the account to ensure OneDrive has synced to the local device. Visit this article for more details on how to sync your OneDrive.

Updated on 04/05/2022

Related Articles

Need Support?
Can’t find the answer you’re looking for? Don’t worry we’re here to help!
Contact Support
back to top