Sensitivity labels are a Microsoft Information Protection (MIP) component deployed as a cloud-based solution that enables the classification and protection of content through the application of predefined sensitivity labels.
When sensitivity labels are enabled for your organisation, end users can manually apply them to the following (web or desktop applications):
- Exchange Online emails
- Microsoft Office documents (M365 apps for enterprise subscription) stored in SharePoint Online and OneDrive
- Groups, Microsoft Teams, and SharePoint sites
- Power BI
- End users who wish to apply/use the sensitivity labels must have been allocated (at least) an E3R licence
- End users wishing to use sensitivity labels in O365 desktop applications must also have the appropriate O365 Enterprise Applications subscription to be able to use the sensitivity labels in desktop
- To use sensitivity labels in Power BI, end users must have Power BI Pro or Power BI Premium licences assigned to them. Additionally, end users wishing to manually apply sensitivity labels in Power BI must have editing privileges to the content they wish to label. Sensitivity labels in Power BI are available on both Power BI service and Power BI Desktop
As sensitivity labels are a cloud-based solution, the following network requirements must be met and traffic to the following URL must be permitted from the end user devices:
- The latest supported browser version for the web applications
- Supported operating systems for Mobile devices (Android & iOS)
- To use the sensitivity labels in older Office desktop applications, end users should also have Azure Information Protection unified labelling client add-on installed. The Azure Information Protection (AIP) unified labelling client provides an Office add-on that installs the Sensitivity button on the ribbon for users to select sensitivity labels and optionally displays the Azure Information Protection bar for better label visibility. Newer versions of Office disable the AIP add-in in favour of the built in labelling client, see the guidance here. To learn more about minimum application versions, please visit the Microsoft guidance for Office and Outlook.
NHSmail Global Sensitivity Labels Opt-in Service Request
The NHSmail Global Sensitivity Labels can be enabled to organisations through an opt-in approach. This means that organisations interested in using sensitivity labels as part of their Security and Information Governance strategy must submit a Service Request via the NHSmail Helpdesk Self-Service.
Prior to submitting the Service Request, please ensure that you have read all support documentation related to sensitivity labels available in the NHSmail Support site and that as an organisation, you are aware of the following information:
- Requirements that must be completed so that sensitivity labels can be used by end users
- Current known limitations of the service
- Impacts, use cases and recommendations
- Local Administrator’s responsibility to communicate this change to all end users in the organisation at ODS group level
- The Service Request process and next steps outlined below
Once submitted, the Service Request will be routed to the O365 team who will enable the NHSmail Data Sensitivity Label Global Policy for your organisation through the organisation’s ODS group. Please note that the sensitivity labels will become available to all (and only) users who are part of the specific ODS group. Please note that child ODS groups are not captured as part of this process and must submit their own Service Request. Additionally, the policy will be deployed as per the design outlined in the NHSmail Data Sensitivity Label Global Policy and will not be customisable.
Submitting a Service Request
Please see below for the high-level Service Request process for the enablement of Global Sensitivity Labels:
- Local Administrator logs into their NHSmail account to access the NHSmail Helpdesk Self-Service
- The Local Administrator selects ‘Raise a request’
- The Local Administrator will complete and submit the Service Request form ‘Global Sensitivity Labels Opt-in’
- The Local Administrator will complete the form by providing the organisation’s ODS code and confirming that they have read the guidance available in the NHSmail Support site, and that they understand the implications and requirements outlined prior to submitting the request
- The Local Administrator will then receive an email confirmation for the ticket submission
- Once completed, the Local Administrator will receive an email confirmation for the request completion/closure
If you have any issues using the NHSmail Helpdesk Self-Service for this Service Request, please contact firstname.lastname@example.org using the subject line ‘Organisation Name – Global Sensitivity Labels Opt-in Request’ and including the details outlined in step 4 above in the email.
Local Administrators will be responsible for managing issues related to organisation-specific requirements and day-to-day activities that might impact end users using sensitivity labels. Some of these issues are listed, but not limited to, below:
- Liaise with the organisation Information Governance community and other decision makers regarding the Global Sensitivity Labels design and configurations, including communicating the upcoming change to all end users in the organisation at ODS group level
- Support with end users credentials/account and licensing issues that could prevent them from using sensitivity labels
- Support with ensuring end users have the latest Microsoft supported versions of the Office/Outlook applications on the desktop and latest supported browser version for the web app
- Support with ensuring that Azure Information Protection unified labelling client add-on is installed for the end user if required
- Assist with end users queries which are covered by this documentation
|Last Reviewed Date||13/12/2022|