Deployment of the NHSmail Global Sensitivity Labels is an opt-in process which is to be requested by an organisation’s Local Administrator based on their Security and Information Governance strategy and readiness. Please refer to article Sensitivity Labels Scope and Requirements for further information on requirements and how to raise a Service Request.
The NHSmail Data Sensitivity Label Global Policy has been designed using the NHSx Records Management Code of Practice as a central guidance where considerations have been taken to balance Information Governance terminology with the expected variety of use cases across the NHSmail shared tenant. Please see the section Naming Convention and Design Decisions for more information.
The use of sensitivity labels is non-mandatory and requires manual application from the user. Please note that data will not be automatically labelled.
Throughout this documentation, internal sharing/access refers to those using nhs.net accounts, external sharing/access refers to any other domains. Please ensure that you are familiar with the Known Limitations as well as the Recommendations regarding the use of sensitivity labels.
Policy Details
To better understand the NHSmail Data Sensitivity Label Global Policy, please ensure that you are also familiar with the key definitions outlined in the Sensitivity Labels Overview documentation.
The four parent sensitivity labels deployed as part of the NHSmail Data Sensitivity Label Global Policy are (from least to most restrictive):
- General
- Corporate
- Official
- Official Sensitive
The parent sensitivity labels ‘Corporate’, ‘Official’ and ‘Official Sensitive’ each have additional sub-labels. More details on each parent label and their sub-labels are outlined below, including descriptions and the configuration set for content-marking, access, and permissions.
Furthermore, the NHSmail Data Sensitivity Label Global Policy has been configured so that:
- End users are required to provide a justification to remove a label or lower its classification (except in Power BI – please see the page Known Limitations)
- End users will not be required to apply a label to their emails and documents, nor their Power BI contents
- End users will be provided with a link to this section upon interacting with the sensitivity labels
- Contents will not be labelled by default
The table below provides a high-level view of the sensitivity labels structure (left-to-right and top-to-bottom read as least to most restrictive):
| NHSmail Parent Sensitivity Labels | ||||
| General | Corporate | Official | Official Sensitive | |
| NHSmail Sub-labels | N/A | Recipients Have Full Control | Recipients Have Full Control | Recipients Have Full Control |
| N/A | Internal Use Editable | Internal Use Editable | Internal Use Editable | |
| N/A | Internal Use Read Only | Internal Use Read Only | Internal Use Read Only | |
Sensitivity Labels Details
The tables below summarise the key configurations of each parent and sub-label within the NHSmail Data Sensitivity Label Global Policy.
The use of sensitivity labels is non-mandatory and requires manual application from the end user. Please note that data will not be automatically labelled.
General
| Configuration | Details |
| Category | Parent |
| Name | General |
| Description | This label does not apply any protection and is for labelling purposes only. It should be used to mark documents and emails that are not business records or sensitive. |
| Files and emails | |
| Label can be applied on files and emails | Yes |
| Encrypts the files and emails | No |
| Marks the content of files | Yes – Header marking |
| Header text | *** General – No Additional Protection *** |
| Font size | 12 |
| Font colour | Black |
| Text layout | Central |
| Groups and sites | |
| Label can be applied on groups and sites | Yes |
| Privacy setting | Private |
| Lets Microsoft 365 Group owners add people outside your organisation (tenant) to the group as guests | Yes – Group owners must have Guest Inviter role |
| Control external sharing from labelled SharePoint sites. Content can be shared with: | New and existing guests |
Corporate
| Configuration | Details |
| Category | Parent |
| Name | Corporate |
| Description | For information related to business processes, examples include Finance and Communications. |
| Files and emails | |
| Label can be applied on files and emails | Via sub-labels |
| Groups and sites | |
| Label can be applied on groups and sites | Yes |
| Privacy setting | Private |
| Lets Microsoft 365 Group owners add people outside your organisation (tenant) to the group as guests | Yes – Group owners must have Guest Inviter role |
| Control external sharing from labelled SharePoint sites. Content can be shared with: | New and existing guests |
Corporate Sub-labels
| Configuration | Details | ||
| Category | Corporate sub-labels | ||
| Name | Recipients Have Full Control | Internal Use Editable | Internal Use Read Only |
| Description | Business records that do not contain personal identifiable or business sensitive data. Recipients have full control. | Business records that do not contain personal identifiable or business sensitive data. All nhs.net users can edit, copy, print, view and save content. All other external parties will not have access to the content. Please note printing is currently not supported via web browser. | Business records that do not contain personal identifiable or business sensitive data. NHSmail users can only view content. Copy, print, save, edit functionalities will not be allowed. All other external parties will not have access to the content. |
| Files and emails | |||
| Label can be applied on files and emails | Yes | Yes | Yes |
| Encrypts the files and emails | No | Yes | Yes |
| Marks the content of files | Yes – Header marking | ||
| Header text | *** Corporate – Recipients Have Full Control *** | *** Corporate – Internal Use Editable *** | *** Corporate – Internal Use Read Only *** |
| Font size | 12 | ||
| Font colour | Black | ||
| Text layout | Central | ||
| Remove encryption if the file or email is encrypted | N/A | No | No |
| Assign permissions now or let users decide? (Assign permissions now/Let users assign when they apply the label) | N/A | Assign permissions now | Assign permissions now |
| User access to content expires | N/A | Never*
aligns with the tenant setting of 30 days |
Never*
aligns with the tenant setting of 30 days |
| Allow offline access | N/A | Always | Always |
| Assign permissions to | N/A | Add all users and groups in your organisation (tenant) | Add all users and groups in your organisation (tenant) |
| Permission level | N/A | Co-Author | Viewer |
| Groups and sites | |||
| Label can be applied on groups and sites | Yes – Inherits from parent label Corporate | ||
Official
| Configuration | Details |
| Category | Parent |
| Name | Official |
| Description | For items which contain personal identifiable or business sensitive data. Commercial- or market-sensitive information, including that subject to statutory or regulatory obligations, that may be damaging to HMG or to a commercial partner if improperly accessed. |
| Files and emails | |
| Label can be applied on files and emails | Via sub-labels |
| Groups and sites | |
| Label can be applied on groups and sites | Yes |
| Privacy setting | Private |
| Lets Microsoft 365 Group owners add people outside your organisation (tenant) to the group as guests | Yes – Group owners must have Guest Inviter role |
| Control external sharing from labelled SharePoint sites. Content can be shared with: | New and existing guests |
Official Sub-labels
| Configuration | Details | ||
| Category | Official sub-labels | ||
| Name | Recipients Have Full Control | Internal Use Editable | Internal Use Read Only |
| Description | Items which contain personal identifiable or business sensitive (commercial) data. Recipients have full control. | Items which contain personal identifiable or business sensitive (commercial) data. All nhs.net users can edit, copy, print, view and save content. All other external parties will not have access to the content. Please note printing is currently not supported via web browser. | Items which contain personal identifiable or business sensitive (commercial) data. NHSmail users can only view content. Copy, print, save, edit functionalities will not be allowed. All other external parties will not have access to the content. |
| Files and emails | |||
| Label can be applied on files and emails | Yes | Yes | Yes |
| Encrypts the files and emails | No | Yes | Yes |
| Marks the content of files | Yes – Header marking | ||
| Header text | *** Official – Recipients Have Full Control *** | *** Official – Internal Use Editable *** | *** Official – Internal Use Read Only *** |
| Font size | 12 | ||
| Font colour | Black | ||
| Text layout | Central | ||
| Remove encryption if the file or email is encrypted | N/A | No | No |
| Assign permissions now or let users decide? (Assign permissions now/Let users assign when they apply the label) | N/A | Assign permissions now | Assign permissions now |
| User access to content expires | N/A | Never*
aligns with the tenant setting of 30 days |
Never*
aligns with the tenant setting of 30 days |
| Allow offline access | N/A | Always | Always |
| Assign permissions to | N/A | Add all users and groups in your organisation (tenant) | Add all users and groups in your organisation (tenant) |
| Permission level | N/A | Co-Author | Viewer |
| Groups and sites | |||
| Label can be applied on groups and sites | Inherits from parent label Official | ||
Official Sensitive
| Configuration | Details |
| Category | Parent |
| Name | Official Sensitive |
| Description | Sensitive company, client or customer personal data that can only be shared with a specific business need. Applies to data regulated by privacy laws including personnel financial information, and technical infrastructure documentation. |
| Files and emails | |
| Label can be applied on files and emails | Via sub-labels |
| Groups and sites | |
| Label can be applied on groups and sites | Yes |
| Privacy setting | Private |
| Lets Microsoft 365 Group owners add people outside your organisation (tenant) to the group as guests | No – even if the group owners have the Guest Inviter role |
| Control external sharing from labelled SharePoint sites. Content can be shared with: | New and existing guests |
Official Sensitive Sub-labels
| Configuration | Details | ||
| Category | Official Sensitive sub-labels | ||
| Name | Recipients Have Full Control | Internal Use Editable | Internal Use Read Only |
| Description | Items which contain sensitive personal identifiable or highly confidential business sensitive data. Content is encrypted but recipients have full control. | Items which contain sensitive personal identifiable or highly confidential business sensitive data. All nhs.net users can edit, copy, print, view and save content. All other external parties will not have access to the content.
Please note printing is currently not supported via web browser. |
Items which contain sensitive personal identifiable or highly confidential business sensitive data. NHSmail users can only view content. Copy, print, save, edit functionalities will not be allowed. All other external parties will not have access to the content. |
| Files and emails | |||
| Label can be applied on files and emails | Yes | Yes | Yes |
| Encrypts the files and emails | Yes | Yes | Yes |
| Marks the content of files | Yes – Header marking | ||
| Header text | *** Official Sensitive – Recipients Have Full Control *** | *** Official Sensitive – Internal Use Editable *** | *** Official Sensitive – Internal Use Read Only *** |
| Font size | 12 | ||
| Font colour | Black | ||
| Text layout | Central | ||
| Remove encryption if the file or email is encrypted | No | No | No |
| Assign permissions now or let users decide? (Assign permissions now/Let users assign when they apply the label) | Assign permissions now | Assign permissions now | Assign permissions now |
| User access to content expires | Never*
aligns with the tenant setting of 30 days |
Never*
aligns with the tenant setting of 30 days |
Never*
aligns with the tenant setting of 30 days |
| Allow offline access | 7 days | 7 days | 7 days |
| Assign permissions to | Add all users and groups in your organisation (tenant)
Add any authenticated users |
Add all users and groups in your organisation (tenant) | Add all users and groups in your organisation (tenant) |
| Permission level | Co-owner | Co-Author | Viewer |
| Groups and sites | |||
| Label can be applied on groups and sites | Inherits from parent label Official Sensitive | ||
When using/applying sensitivity labels on web applications (Word, Excel and PowerPoint), the header text will not be clearly visible in the document header. However, the file will still be labelled. Please see the Applying Sensitivity Labels – Files and Emails guidance for more information.
Example Use Cases
Consider the following example for the expected behaviour when end users use sensitivity labels on their emails. Please note that in addition to the below, other actions considered as part of the sensitivity label permission level may apply. Key permission levels definitions are outlined in the Sensitivity Labels Overview, and the permission level assigned to each label can be viewed in the Sensitivity Labels Details section.
| Label Name | Email can be read by the internal recipient (@nhs.net) |
Email can be read by the external recipient (in the allow list) |
Email can be read by the external recipient (not in the allow list) |
| General | Yes | Yes | Yes |
| Corporate /Recipients Have Full Control |
Yes | Yes | Yes |
| Corporate /Internal Use Editable |
Yes | No | No |
| Corporate /Internal Use Read Only |
Yes | No | No |
| Official /Recipients Have Full Control |
Yes | Yes | Yes |
| Official /Internal Use Editable |
Yes | No | No |
| Official /Internal Use Read Only |
Yes | No | No |
| Official Sensitive /Recipients Have Full Control |
Yes | Yes | Yes |
| Official Sensitive /Internal Use Editable |
Yes | No | No |
| Official Sensitive /Internal Use Read Only |
Yes | No | No |
Naming Convention and Design Decisions
Please note, when designing the sensitivity labels deployed via the NHSmail Data Sensitivity Label Global Policy, including the naming convention chosen for these labels, several factors were considered:
- Differing knowledge across userbase (Healthcare workers, IT, Security and Information Governance professionals)
- Differing use cases across the entire Health and Social Care sector in England
- Common NHS phrases (Confidential, PID, SAR, FOI, Sensitive PID)
As per the government guidance, the NHSx records management code of practice and the Government Security Classifications were factored in as the primary label naming suggestions. However, the NHS documentation does not fit the description of the two highest classifications:
| Label | Summary | Assessment |
| Secret | Threat of loss to life | Deemed not applicable to NHS setting |
| Top Secret | Disclosure results in national security being compromised and widespread loss of life | Deemed not applicable to NHS setting |
Furthermore, Microsoft’s sensitivity labels functionality does not provide the necessary capabilities to label documents ‘LOCSEN’ (sensitive information that locally engaged staff overseas cannot access) as per the Government Security Classification. Therefore, this was excluded from the naming convention.
All sensitivity labels deployed are accompanied by descriptions that help end users to identify personal or commercial labels. Thus, the Government Security Classifications were incorporated as part of a hybrid approach.
The sub-labels incorporate standard Microsoft functionalities and permissions (for example: read-only, editable, and others) to ensure that the functionalities of the sensitivity labels are clear to end users rather than promoting end users to inadvertently select a sensitivity label that is unintentionally restrictive.
Recommendations
Below are some recommended practices when using sensitivity labels. Other examples can be found in the Microsoft documentation – Learn about sensitivity labels.
| Title | Description |
| Known Limitations | Please refer to the Sensitivity Labels Overview – Known Limitations documentation for more information on expected behaviours when applying sensitivity labels. |
| External Collaboration | The sensitivity labels deployed via the NHSmail Data Sensitivity Label Global Policy protect data from external live access by design. Please note that this excludes guests already included in the allow list.
If you are collaborating with external parties who are not part of the allow list, please note that they will not be able to view live labelled content and or be added to groups and sites. For emails, Egress should be used instead of sensitivity labels. Therefore, it is recommended you take this information into consideration before labelling content (including emails) intended to be shared with externally. Visit Guest Access for more information about external guests. |
| Interaction with Egress | Labelled documents attached to emails will be sent to the recipient as a copy (instead of a live version) if Egress is applied.
Please consider the below approach when sharing labelled documents: If the recipient has access to the Teams/SharePoint site hosting the document:
If the recipient does not have access to the Teams/SharePoint site hosting the document:
Visit Encryption and Email Security for more information about Egress. |
| Internal Use Editable – Office Web Application | Documents labelled with “Internal Use Editable” (sub-label to Corporate, Official or Official Sensitive) cannot be printed using the Office Web Application version of Word, Excel and Power Point.
However, a copy of the document can be downloaded from Teams/SharePoint for printing. If you have O365 desktop applications:
If you do not have O365 desktop applications:
|
| Relationship Levels | Labelled documents stored within a group/site (i.e.: Teams/SharePoint) cannot be more restrictive than the group/site itself.
When labelling documents, please first consider the label applied to the group/site (if any). If you require your document to have higher restrictions, please reach out to the Teams/SharePoint site owner to request for the group/site label to either be removed or increased in restriction. |
| Syncing OneDrive | Sensitivity label issues with the message ‘Azure Information Protection cannot apply this label’ can arise if the end user’s OneDrive is not synced to their local device.
To troubleshoot, refresh and login again to the account to ensure OneDrive has synced to the local device. Visit this article for more details on how to sync your OneDrive. |
| Last Reviewed Date | 04/05/2022 |
