4 min read
A group of nursing homes handling sensitive medical records, resident personal data, staff HR files, and operational documents across SharePoint, OneDrive, and email. The group had been using a third-party data classification tool alongside an increasing investment in Microsoft 365 E5, and the overlap between the two systems was becoming harder to justify.
Service: Technology Consulting Sector: Nursing homes
The third-party classification tool operated separately from the Microsoft 365 environment. Data labelled in the external tool didn't carry those labels into Microsoft applications natively, creating a disconnect between where data was classified and where staff actually worked with it.
Two platforms with different interfaces, different logic, and separate licensing costs. Staff had to think about classification in one system and handle documents in another. Microsoft 365 E5 included Microsoft Information Protection - sensitivity labels, automated labelling policies, and data loss prevention - all built into the same platform the organisation already used for email, file storage, and collaboration. The functionality was there. It just had not been configured.
Nursing homes handle some of the most sensitive data categories in social care - medical records, safeguarding reports, mental capacity assessments, DoLS applications, medication administration records. The existing classification scheme used generic corporate categories that didn't reflect these realities. A sensitivity label called "Confidential" tells you very little about whether a document contains a resident's care plan or a supplier invoice.
The migration was not a simple switch. Years of classification data needed to be mapped to Microsoft's labelling taxonomy, automated policies needed to be built and tested, and the transition had to happen without leaving any gap in data protection.
We started with a thorough assessment of the existing classification scheme: what labels were in use, how they mapped to the organisation's data handling requirements, and where the gaps were between what the third-party tool provided and what Microsoft Information Protection could deliver.
From that assessment, we designed a new sensitivity label taxonomy within Microsoft Information Protection with categories that care staff would recognise: resident medical records, safeguarding documentation, HR and DBS records, financial information, and operational data. Each label was configured with appropriate protections - encryption, access restrictions, and visual markings where needed.
We built automated labelling policies that scan content across SharePoint, OneDrive, and Exchange for sensitive information. Documents containing NHS numbers, medication names, safeguarding terminology, or personal identifiers are automatically labelled and protected without staff needing to remember to do it manually.
Data loss prevention policies were configured alongside the sensitivity labels. If a care worker accidentally tries to email a resident's care plan to a personal email address, the system blocks it and explains why. If someone attempts to download safeguarding documents to an unmanaged device, the policy intervenes. These protections work consistently across email, SharePoint, OneDrive, and Teams.
The migration was staged with both systems running in parallel during the transition period, so there was no gap in protection while the third-party tool was decommissioned.
Data classification now runs entirely within Microsoft 365, managed from a single admin centre. Sensitivity labels, classification rules, and data loss prevention policies are consistent across every application staff use daily.
The third-party licensing cost has been eliminated entirely. More importantly, documents are now classified and protected natively within the tools that care staff use every day. A nurse opening a resident's care plan in SharePoint sees the sensitivity label and knows immediately how the document should be handled.
The classification scheme reflects the realities of nursing home data - not generic corporate categories, but labels that make sense to care managers, registered nurses, and compliance officers. When CQC asks about data protection, the organisation can demonstrate automated, auditable classification across its entire document estate.
Care-specific data classification · Third-party tool replaced with Microsoft Information Protection · Sensitivity labels designed for nursing home data categories · Automated labelling across SharePoint, OneDrive, and Exchange · Data loss prevention integrated with Microsoft 365 · Third-party licensing cost eliminated
Related service: Technology Consulting