top of page
Search

The Purview Labeling Mistake Almost Every Organization Makes

  • Writer: E.C. Scherer
    E.C. Scherer
  • Mar 18
  • 4 min read

One of the most common questions I hear during deployments is:


“Why don’t we have a Client label?”


It usually comes up early in conversations about sensitivity labels. Someone is thinking about the types of information the organization handles and trying to map that into labels.


My answer is usually some version of this: Think of labels as classifications of data, not descriptions of what the data is about.


At one organization I worked with, their information security policy defined four classifications:

  • Public

  • Internal

  • Confidential

  • Highly Confidential


That policy became the foundation of the labeling strategy.


When someone asked why we didn’t have a Client label, the answer was simple:

Client data can span multiple classifications.

A client marketing brochure might be Public.

A client proposal might be Confidential.

A contract or financial record might be Highly Confidential.


Notes from the field: The subject of the document doesn’t determine its classification. The sensitivity of the information does.

The Mental Model That Causes Problems

When organizations start designing labels, the conversation often goes in a different direction.


Instead of classifications, the discussion becomes about things like:

  • PII

  • PHI

  • Client Data

  • Legal

  • HR

  • Financial


What’s happening here is that people are trying to solve several different problems at once.


Sometimes they are trying to:

  • tag documents by sensitive information types

  • map labels to compliance requirements

  • understand what their data estate actually contains


Those are all valid goals.


But sensitivity labels aren’t designed to solve those problems directly. When they’re used that way, things start to break down.


Notes from the field: The moment a label discussion starts with “We need labels for PII, PHI, Client, Legal, and HR,” I know we’re about to build a taxonomy instead of a security model.

What Sensitivity Labels Are Actually For

A sensitivity label should represent the classification of the data and the controls that apply to it.


A good label model does three things well.


First, it maps directly to security controls.

If something is labeled Highly Confidential, that should automatically trigger specific protections:

  • encryption

  • sharing restrictions

  • DLP policies


Second, it should be reusable across sensitive data types.

The same label should work whether the document contains:

  • PII

  • PHI

  • financial information

  • proprietary intellectual property


Third, it should be clear and concise for users.

Users shouldn’t have to stop and think:

“Is this more PII or financial data?”

They should only have to answer one question:

How sensitive is this information?


Notes from the field: If a user has to decide whether a document is more “PII” or “financial data,” the labeling model is doing too much work.

Diagram comparing two Purview labeling approaches: labels based on data types like PII and PHI versus classification labels like Public, Internal, Confidential, and Highly Confidential.
Many Purview deployments start by labeling data types. Effective label strategies classify how sensitive the information is, not what the data is about.

Why Policy Matters More Than Label Names

When I walk into a new environment, I care less about what the labels are called.


What matters is what the information security policy says. Confidential could be called Restricted. Public could be called General.


The names don’t matter nearly as much as the handling requirements behind them.


If a policy says:

Contract information is considered Highly Confidential and should not be stored outside of Microsoft 365.


That statement defines your baseline.


From there, the label exists to enforce the controls tied to that classification.


What Happens When Labels Are Built the Wrong Way

When labels are designed around sensitive data types instead of classifications, a few things usually happen.


Policies (both organizational and technical) start to conflict with each other.


New labels have to be created every time a new business scenario appears.


Users are forced to decide whether a document is more:

  • PII

  • Financial data

  • PHI


Security controls become redundant or inconsistent.


Administrative overhead grows quickly.


And eventually, the entire system starts to feel like guesswork. Instead of simplifying data security, the labeling strategy makes it harder.


Security Blanket Nature Break

Step away from the dashboards for a moment.



This Pink Lady’s Slipper (Cypripedium acaule) grows in quiet forest understories and can take years before producing a flower.


When you find one, there’s no confusion about what it is, no debate on how to classify it.


Clear categories make complex systems easier to understand.


The Goal of a Good Label Strategy

A good labeling strategy should make data protection predictable and scalable. Labels describe the sensitivity of the information. Controls enforce how that information must be handled.


A good labeling strategy should survive organizational change. If a merger, new regulation, or new business unit forces a redesign, the labels were probably tied to the wrong thing.


And users only need to answer a simple question when they create or share something:

How sensitive is this?


When the model works that way, labels become something people can actually use without overthinking them.


And the security controls tied to those labels start working the way they were intended to.



Comments

©2026 by E.C. Scherer

bottom of page