New Storage Guidelines and Sensitivity Labels

Microsoft 365 offers many benefits, including file storage space through OneDrive and Teams/SharePoint, enhanced security, and real-time collaboration and communication through Teams and Office applications. With so many tools and applications available to store your data, you may be wondering which spaces are appropriate for different data types. For instance, which space is appropriate for Protected data (personally identifiable information)? Or can we store Highly Confidential data in our Microsoft spaces?

Data Storage Guidelines

This month, Information Technology released a new University Data Storage Standard. This document expands on previously available guidance defining the types of data at JMU, and it also provides an updated matrix of places where it is acceptable for you to store each data type. You should become familiar with this document to help you determine where to safely save your data in our various cloud services.

Sensitivity Labeling

Further enhancing security, Information Technology will soon introduce Microsoft's Data Sensitivity Labeling. In early December, you will notice a new option in several Microsoft applications allowing you to label any document or email as Highly Confidential, Protected, or Public. A brief description of each type is below. By labeling a document according to its type, you add an additional layer of security.

Label Descriptions:

• Public: University data that can be shared to the general public without restriction.
• Protected: Non-highly confidential university data that has Personally Identifiable Information and is worthy of protection and discretion in its distribution and use.
• Highly Confidential (Note: per the University Data Storage Standard, you must get approval from Information Technology to store any Highly Confidential data in Microsoft. Simply using a label is not sufficient!)
  • GLBA (select groups): Non-public personal financial information ("Covered Data") protected by the Gramm-Leach-Bliley Act (GLBA). This includes, but is not limited to, bank and credit card account numbers, income and credit histories, tax returns, and financial aid information.
  • Health Information: This is health information regulated by HIPAA or FERPA. This includes, but not limited to, medical records, medical record numbers, vaccination records, and health insurance information.
  • Research: Research data/records resulting from a systematic investigation including, but not limited to, research proposals, laboratory records, progress reports, abstracts, theses, oral presentations, internal reports, journal articles, and any related documents and materials.
  • General: Other highly confidential data including, but not limited to, Social Security Numbers, driver's license numbers, Visa numbers, Passport numbers, Taxpayer Identification Numbers (TINs), banking/credit card data, and biometric identifiers (i.e. fingerprints).

Outlook

• You may add a sensitivity label to an outgoing email.

OneDrive

• You may add a sensitivity label to any individual Word, PowerPoint, or Excel file.
  • Note: Highly Confidential data is prohibited in OneDrive.

Teams/SharePoint

• You may add a sensitivity label to any individual Word, PowerPoint, or Excel file.
• If you would like a team or SharePoint site to automatically add a sensitivity label to all new documents in your team/site, please reach out to Information Technology.
  • Note: if you would like to store Highly Confidential data in Teams or SharePoint, you must get approval from Information Technology.

For more detailed information, please refer to Information Technology's knowledge articles on Sensitivity Labeling.