Deployment of the NHSmail Global Sensitivity Labels is an opt-in process which is to be requested by an organisation’s Local Administrator based on their Security and Information Governance strategy and readiness. Please refer to article Sensitivity Labels Scope and Requirements for further information on requirements and how to raise a Service Request.
Sensitivity labels from the Microsoft Information Protection solution allow end users to manually apply sensitivity labels to classify and protect data, while making sure that user productivity and their ability to collaborate is not hindered.
With sensitivity labels, you can classify content and enforce protection settings based on the label via:
- Protective settings for files and emails, such as encryption and content markings: For example, the content will be encrypted by restricting the actions that can be performed in the file/document by others, as well as add a content mark (for example, header text).
- Protecting settings for containers that include Teams, Microsoft 365 Groups, and SharePoint sites: For example, privacy settings, external user access, and external sharing.
For further information on sensitivity labels, please see this Microsoft documentation.
Not all scenarios detailed in the Microsoft Documentation will be relevant or available to use in the NHSmail shared tenant. More information on the sensitivity labels design can be found in the NHSmail Data Sensitivity Label Global Policy.
Throughout this documentation, internal sharing/access refers to those using nhs.net accounts, external sharing/access refers to any other domains.
This section contains key definitions that will support with understanding the wider architecture of sensitivity labels.
Policy
Sensitivity labels are published and made available to end users via policies. Policies may contain sensitivity labels at parent level and sub-label level (as illustrated in the example below).
Label policies can be used to publish sensitivity labels to any specific user or mail-enabled groups.
The NHSmail Data Sensitivity Label Global Policy is the policy in which sensitivity labels will be made available for end users in the NHSmail shared tenant.
Parent Label
Parent sensitivity labels decide the overarching permissions for their corresponding sub-labels. Parent labels can house up to four sub-labels.
Sub-label
Sub-labels sit within the parent label and provide additional content marking, encryption, and permissions from what has already been outlined in the parent label, sub-labels also share the same priority as the parent label they are assigned to.
Standard Configurations
The subsections below outline important information about standard sensitivity labels configurations:
Group and sites
- Privacy settings: The privacy configurations for sensitivity labels have been designed to always be “Private”, which means only team owners and members can access the group/team. Sensitivity labels configuration take precedence over the NHSmail Public and Private settings. In the unlikely event that a sensitivity label is configured as “Public” and applied to a SharePoint site previously defined as “Private”, there would not be a policy in place to restrict access to the site’s content. If this scenario took place, a notification alert would be sent to site owners and Local Administrators.
Files & emails:
-
Encryption settings
- User access to content expires: If ‘Never’, the settings will default to the NHSmail shared tenant settings of 30 days.
- Allow offline access: Allows for configurable options ‘Never’, ‘Always’, or for a specific number of days after the label is applied. If ‘Never’ or ‘Always’ is configured, this defaults to the tenant setting of 30 days. If offline access is restricted to ‘a number of days’, once that threshold is reached, users must be reauthenticated and their access is logged.
-
Permission assignment:
- Assign permissions now: Pre-determines exactly which users get permissions (i.e., permission levels) to content that has the label applied.
-
Permission levels:
- Co-Authors: Can view document content and rights, edit content, allow macros, reply, reply all, forward and save content. Co-Authors can also print, copy, and extract content.
- Viewers: Can view content and rights and allow macros.
- Co-Owners: Full permissions are granted to Co-Owners.
- Reviewers: Can view and edit document content, view document rights, and allow macros.
Applying Sensitivity Labels
Sensitivity labels can be manually applied to two different Microsoft product scopes:
- Files and emails – applies to O365 applications including Outlook, Word, Excel, and PowerPoint, as well as Power BI.
- Groups and sites – applies to Microsoft Teams channels, SharePoint groups and sites and O365 groups.
The use of sensitivity labels is non-mandatory and requires manual application from the end user. Please note that data will not be automatically labelled.
Please ensure that you are familiar with the Known Limitations as well as the Recommendations regarding the use of sensitivity labels.
After a sensitivity label has been applied to content, it accompanies that content when it is exported to Excel, PowerPoint and PDF files, downloaded to .pbix, or saved (in Desktop) and becomes the basis for applying and enforcing policies.
In addition to the guidance below, you can also learn more about using sensitivity labels by visiting this Microsoft Documentation.
Files and Emails
Please see below for examples on how sensitivity labels are visually displayed for end users. If your organisation has opted-in to the use of sensitivity labels, these will be available for end users on the below products:
- Outlook (desktop/web)
- Word (desktop/web)
- Excel (desktop/web)
- PowerPoint (desktop/web)
- Power BI (desktop/service)
To apply the sensitivity label, end users must manually click on it:
1. Sensitivity labels can be found by clicking in the Sensitivity icon. An example of how to find the labels in Outlook desktop is shown.
Other examples below illustrate how the labels can be found in PowerPoint desktop app and/or Excel web application.
2. Sensitivity labels descriptions will be available by hovering over the label name. The example below is demonstrated in Outlook web.
3. Once the end user clicks on the sensitivity label, it will be applied to the file or email. The following are visual cues that will demonstrate that the sensitivity label has been applied:
Desktop applications: Headers will be visible at the top of the file or email.
Web applications: Headers will only be visible by navigating to Review >Header & Footer (or by attempting to print). Alternatively, please look at the bottom of the document for the name of the sensitivity label applied. The example below is demonstrated in Word web application.
Please note although the header might not be clearly visible in web applications, it will be displayed on sent emails as well as on printed/exported documents and documents opened using the desktop application.
Groups and Sites
Please see below for examples on how sensitivity labels can be applied by Microsoft Teams/SharePoint site owners (provided they have Guest Inviter role), as well as how end users can identify if the Teams/site is labelled.
Applying labels within Microsoft Teams/O365 Groups:
1. A Team owner can change the sensitivity label and privacy setting of the team by going to the team and clicking Edit team.
2. Once the label has been manually applied, it will appear in the Team.
Applying labels within a SharePoint site:
1. A SharePoint site owner can change the sensitivity label of a SharePoint site by clicking on the settings icon at the top of the page, then clicking on site information on the drop-down menu. Next, chose the relevant sensitivity label from the Sensitivity drop-down menu.
2. Once the label has been manually applied, it will appear in the SharePoint site.
Known Limitations
Ahead of applying sensitivity labels, end users should be aware of some known limitations that may be applicable depending on the design of the label applied. Please note that recommendations have been made for some of the known limitations outlined below. These can be found in the section NHSmail Data Sensitivity Label Global Policy – Recommendations.
| Limitation | Impact |
| External Sharing Access | External Sharing Access configurations for groups and sites will remain restricted to External Federated Groups (specific domains) as well as following the rights permissions within the privilege group for sharing (guest invite group).
Additionally, only users assigned to specific admin roles (Guest Inviter role) can invite guests from External Federated Groups to groups and sites, and the user must also be part of the group/site. This means that the sensitivity labels designed cannot be more permissive than the current policies in place (they can only be equally or more restrictive). For the label selected, if the option “Let Microsoft 365 Group owners add people outside your organisation to the group as guests” is set as “no”, then group & site owners cannot invite external guests even if they are a member of the guest invite group. |
| External Collaboration | The sensitivity labels deployed via the NHSmail Data Sensitivity Label Global Policy protect data from external access by design. Please note that this excludes guests already included in the allow list.
Please see a recommendation for this limitation in the section NHSmail Data Sensitivity Label Global Policy – Recommendations. |
| Interaction with Egress | Labelled documents attached to emails will be sent to the recipient as a copy (instead of a live version) if Egress is applied.
Please see a recommendation for this limitation in the section NHSmail Data Sensitivity Label Global Policy – Recommendations. |
| Internal Use Editable – Office Web Application | Documents labelled with “Internal Use Editable” (sub-label to Corporate, Official or Official Sensitive) cannot be printed using the Office Web Application version of Word, Excel and Power Point.
Please see a recommendation for this limitation in the section NHSmail Data Sensitivity Label Global Policy – Recommendations. |
| Relationship Levels | Labelled documents stored within a group/site (i.e.: Teams/SharePoint) cannot be more restrictive than the group/site itself. If an end user attempts to increase the restriction of a file beyond the group/site level, the end user will receive an email notification advising that this cannot take place.
Please see a recommendation for this limitation in the section NHSmail Data Sensitivity Label Global Policy – Recommendations. |
| Syncing OneDrive | Sensitivity label issues with the message ‘Azure Information Protection cannot apply this label’ can arise if the end user’s OneDrive is not synced to their local device.
Please see a recommendation for this limitation in the section NHSmail Data Sensitivity Label Global Policy – Recommendations. |
| Power BI – Label Lowering | There is a Power BI product limitation where justification for lowering a sensitivity label in Power BI is not being triggered and users are not being prompted to provide reasoning. |
| Power BI – Permissions | Data cannot be connected/retrieved from a labelled Excel file if the user developing the report is not part of the sensitivity label permission. This can be observed in two ways:
Protected .pbix files can be only opened by a user who has full control and/or export usage rights for the relevant sensitivity label. |
| Power BI – Connectivity | Power BI Desktop users may experience problems saving their work if internet connectivity is lost. With no internet connection, some actions related to sensitivity labels and rights management might fail to complete. Saving can be re-attempted once back online. |
| Sensitivity Labels Roll Back Timescales | If for any reason your organisation needs to opt-out from the Global Sensitivity Labels deployment, the below indicative timescales for the roll back may apply until the labels are no longer visible in the end users’ UI. In the meantime, the sensitivity labels will continue to be available for use:
|
| Last Reviewed Date | 04/05/2022 |
