Stats
Actions
Tags
'%20stop-opacity%3D'0.16'%2F%3E%3Cstop%20offset%3D'1'%20stop-color%3D'rgb(200%2C90%2C60)'%20stop-opacity%3D'0.03'%2F%3E%3C%2FlinearGradient%3E%3C%2Fdefs%3E%3Crect%20width%3D'320'%20height%3D'200'%20fill%3D'url(%23g)'%2F%3E%3Ccircle%20cx%3D'250'%20cy%3D'56'%20r%3D'92'%20fill%3D'rgb(200%2C90%2C60)'%20fill-opacity%3D'0.06'%2F%3E%3Ccircle%20cx%3D'64'%20cy%3D'172'%20r%3D'58'%20fill%3D'rgb(200%2C90%2C60)'%20fill-opacity%3D'0.05'%2F%3E%3C%2Fsvg%3E)
From data-classification-skills
Implements enterprise data classification labeling systems using Microsoft Purview, including metadata tagging, DLP integration, automated label propagation, user-applied labels, and inheritance rules.
How this skill is triggered — by the user, by Claude, or both
Slash command
/data-classification-skills:data-labeling-systemThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Data classification labels are the operational mechanism through which classification policy is enforced across the enterprise. Labels attach classification metadata to data assets — documents, emails, database records, and cloud resources — enabling automated enforcement of handling requirements through DLP policies, access controls, and encryption. This skill covers the design and implementat...
Data classification labels are the operational mechanism through which classification policy is enforced across the enterprise. Labels attach classification metadata to data assets — documents, emails, database records, and cloud resources — enabling automated enforcement of handling requirements through DLP policies, access controls, and encryption. This skill covers the design and implementation of a labelling system using Microsoft Purview Information Protection as the primary platform, with architecture patterns for automated labelling, user-applied labelling, label inheritance, and cross-platform propagation.
Vanguard Classification Labels
├── Public
│ └── (no sub-labels)
├── Internal
│ └── Internal - Project Confidential
├── Confidential
│ ├── Confidential - Customer Data
│ ├── Confidential - Employee Data
│ ├── Confidential - Financial Data
│ └── Confidential - Legal
└── Restricted
├── Restricted - Special Category (Art. 9)
├── Restricted - Criminal Data (Art. 10)
├── Restricted - AML Investigation
└── Restricted - Board & Strategy
| Label | Colour | Visual Marking | Encryption | DLP Policy | Auto-Apply |
|---|---|---|---|---|---|
| Public | Green | Footer: "Vanguard Financial Services — Public" | None | None | No |
| Internal | Blue | Footer: "Vanguard Financial Services — Internal Use Only" | Optional | Warn on external | No |
| Confidential | Amber | Header + Footer: "CONFIDENTIAL" | Azure RMS (AES-256) | Warn + audit external; block personal email | Yes (when PII detected with >85% confidence) |
| Restricted | Red | Header + Footer: "RESTRICTED" with red background; watermark on print | Azure RMS (AES-256, double key encryption) | Block all external; block USB/print; alert DPO | Yes (when Art. 9/Art. 10 data detected with >85% confidence) |
┌─────────────────────────────────────────────────────────────────┐
│ Microsoft Purview │
│ │
│ ┌──────────────┐ ┌──────────────┐ ┌──────────────────────┐ │
│ │ Sensitivity │ │ Auto-labelling│ │ DLP Policies │ │
│ │ Labels │ │ Policies │ │ (endpoint, email, │ │
│ │ (definitions) │ │ (rules) │ │ SharePoint, Teams) │ │
│ └──────┬───────┘ └──────┬───────┘ └──────────┬───────────┘ │
│ │ │ │ │
│ ▼ ▼ ▼ │
│ ┌──────────────────────────────────────────────────────────┐ │
│ │ Unified Label Application Engine │ │
│ └──────────────────────────────────────────────────────────┘ │
│ │ │ │ │
└─────────┼──────────────────┼──────────────────────┼──────────────┘
▼ ▼ ▼
┌─────────────┐ ┌──────────────┐ ┌──────────────────────┐
│ Office Apps │ │ SharePoint/ │ │ Endpoint DLP │
│ (Word, Excel,│ │ OneDrive │ │ (Windows devices) │
│ Outlook) │ │ │ │ │
└─────────────┘ └──────────────┘ └──────────────────────┘
| Setting | Value |
|---|---|
| Policy Name | VFS-AutoLabel-Confidential-CustomerPII |
| Scope | All SharePoint sites, OneDrive accounts, Exchange mailboxes |
| Conditions | Content contains ANY of: UK National Insurance Number (HIGH confidence), IBAN (HIGH), Vanguard Account Number (HIGH), Credit Card (HIGH + Luhn validated) |
| Minimum count | 1 instance of any SIT at HIGH confidence |
| Label applied | Confidential - Customer Data |
| Priority | 2 (overridden by Restricted auto-label) |
| Setting | Value |
|---|---|
| Policy Name | VFS-AutoLabel-Restricted-SpecialCategory |
| Scope | All SharePoint sites, OneDrive accounts, Exchange mailboxes |
| Conditions | Content contains ANY of: ICD-10 codes (MEDIUM+), health terminology trainable classifier (HIGH), biometric template format detection, genetic marker patterns |
| Minimum count | 1 instance at MEDIUM confidence or above |
| Label applied | Restricted - Special Category (Art. 9) |
| Priority | 1 (highest priority — overrides all other auto-labels) |
| Setting | Value |
|---|---|
| Policy Name | VFS-AutoLabel-Restricted-CriminalData |
| Scope | HR SharePoint sites, Compliance SharePoint sites |
| Conditions | Content contains: DBS reference patterns, criminal conviction terminology, SAR reference numbers |
| Label applied | Restricted - Criminal Data (Art. 10) |
| Priority | 1 |
| Rule | Description | Implementation |
|---|---|---|
| Container inheritance | Items in a labelled SharePoint site inherit the site's label as minimum | Site sensitivity label propagates to new items; existing items retain higher label |
| Email attachment inheritance | Attachments inherit the email's label if attachment label is lower | Outlook plugin checks attachment label vs email label on send |
| Parent-child inheritance | Child documents inherit parent folder label as minimum | SharePoint library policy; items cannot be labelled below folder label |
| No downgrade without approval | Users cannot remove or downgrade labels without justification | Label policy: require justification text for downgrade; audit log entry |
| Highest label wins | When documents are merged or combined, the highest label applies | User training + DLP monitoring for combined documents |
| Scenario | Who Labels | How |
|---|---|---|
| New document creation | Author | Select label from Office ribbon (Word, Excel, PowerPoint) |
| New email composition | Sender | Select label from Outlook toolbar; mandatory before sending external |
| File upload to SharePoint | Uploader | Label prompt on upload if no label detected |
| Data export from system | Exporter | Label selection required before export completes |
| Physical document printing | Printer | Classification header/footer printed automatically; user selects tier if not auto-labelled |
| Setting | Value |
|---|---|
| Require label on documents | Yes — all Word, Excel, PowerPoint documents must have a label before save |
| Require label on emails | Yes — for emails to external recipients; recommended for internal |
| Default label | Internal (applied if user does not select; user can override up or down) |
| Justification for downgrade | Required — user must enter text justification; logged in audit |
| Justification for removal | Required — DPO-approved exception only |
| Label | External Email | USB/Removable | Screenshot | Cloud Upload | |
|---|---|---|---|---|---|
| Public | Allow | Allow | Allow | Allow | Allow |
| Internal | Warn | Warn | Allow | Allow | Block (non-approved cloud) |
| Confidential | Warn + audit | Block | Secure print | Allow (watermarked) | Block |
| Restricted | Block | Block | Block (unless DPO approved) | Block | Block |
| Alert Severity | Label Trigger | Routing |
|---|---|---|
| Low | Internal label — external email warn overridden | Security team email |
| Medium | Confidential label — external sharing attempted | Security team + Data Owner |
| High | Restricted label — any policy trigger | DPO + CISO + immediate investigation |
| Critical | Restricted label — data exfiltration indicators | DPO + CISO + Incident Response Team + 15-minute SLA |
| Platform | Label Method | Propagation |
|---|---|---|
| Microsoft 365 (Word, Excel, PowerPoint) | Native sensitivity label in file metadata | Full support — label travels with file |
| Outlook / Exchange | Email header X-MS-Exchange-Organization-Classification | Label persists in message store and forwarded copies |
| SharePoint Online | Document library metadata + file metadata | Dual storage — library and file level |
| OneDrive for Business | File metadata | Same as SharePoint |
| Teams | Channel/chat message metadata | Limited — file attachments inherit, message labels in compliance |
| PDF export | Visual marking (header/footer) + XMP metadata | Visual marking persists; metadata depends on PDF viewer |
| Azure SQL Database | Column-level sensitivity classification (sys.sensitivity_classifications) | Native Azure SQL feature; integrates with Purview |
| AWS S3 | Object tags (key: classification, value: tier) | AWS-native tagging; read by Macie and IAM policies |
| On-premises file shares | File metadata (NTFS ADS) via AIP Unified Labelling client | Requires AIP client installed on endpoints |
2plugins reuse this skill
First indexed Mar 26, 2026
npx claudepluginhub mukul975/privacy-data-protection-skills --plugin data-classification-skillsImplements enterprise data classification labeling systems using Microsoft Purview, including metadata tagging, DLP integration, automated label propagation, user-applied labels, and inheritance rules.
Implements DLP policies with Microsoft Purview for Exchange, SharePoint, Teams, endpoints, and Power BI. Configures sensitivity labels, custom regex types, deploys endpoint rules, monitors via Activity Explorer.
Implements data loss prevention policies with Microsoft Purview, configuring sensitivity labels, DLP rules, and endpoint protection across Microsoft 365. Uses PowerShell and Graph API for automation.