UNMC and Nebraska Medicine Information Security will enable Microsoft Data Classification labels to be automatically applied across the med center’s Microsoft 365 environment.
This change, which goes into effect Thursday, Feb. 26, supports the enterprise-wide effort to identify, understand and protect institutional data in accordance with established policy and regulatory requirements.
This work aligns with:
- IM‑50 Data Classification, which defines how enterprise data must be classified and protected across UNMC, Nebraska Medicine and the affiliated covered entity.
- University of Nebraska Board of Regents policy on risk classification and minimum security standards, which requires data to be classified based on risk and safeguarded appropriately.
No action is required on the part of users to apply labels.
Information Security will configure Microsoft 365 so that data classification labels are automatically enabled and applied, helping ensure consistent protection across documents and email.
These labels identify the sensitivity level of data, apply appropriate safeguards and reduce the risk of accidental data exposure.
The labels also align directly with the four classifications defined in IM‑50:
- Level 1 – Public data: Low-risk data that can be shared without restriction, such as job postings, directory information or published research.
- Level 2 – Internal data: Moderate-risk data intended for internal use only, such as budgets, departmental procedures and planning documents.
- Level 3 – Confidential data: High-risk data requiring authorization to access or store, including personnel records and FERPA-protected information.
- Level 4 – Highly restricted data: High-risk data that must be tightly controlled from creation through destruction, such as HIPAA-protected health information, Social Security numbers and credit card data.
While the labeling process happens automatically, all users continue to share responsibility for protecting data. Users across the enterprise are expected to handle data in accordance with its classification, share sensitive information only with authorized individuals, use approved systems for storing and transmitting institutional data and report inventories as requested by Information Security.
The new automated labeling process is just one step in protecting the med center’s data, and additional steps will be introduced over time. UNMC and Nebraska Medicine Information Security will continue to provide oversight and standards on the issue.
For more about data classification and data handling policies, see IM‑50 Data Classification and Executive Memorandum 42.
With questions, email Information Security.