Data Loss Protection Policies

Body

Questions

  • What is Data Loss Prevention (DLP) and why is Bowdoin using it?
  • What sensitive data does DLP detect?
  • Where does DLP work in Microsoft 365?
  • What happens if I try to share restricted data externally?
  • How do I share safely or get help if I’m blocked?

Environment

For Bowdoin students, faculty, and staff using Microsoft 365: Outlook (email), OneDrive, SharePoint, Teams, and Microsoft 365 Copilot. DLP runs automatically to prevent accidental sharing of sensitive personal data outside Bowdoin. No setup needed—just sign in with your Bowdoin account.

Resolution

  1. What DLP does
    • Detects and protects sensitive data (SSNs, U.S./U.K. passports, U.S. driver’s licenses, bank and credit card numbers, ITINs).
    • On external sharing, DLP may show a warning, encrypt email, block external access, or limit Copilot processing.
  2. What you’ll see
    • Email (Exchange Online): If an email or attachment to an external recipient appears to contain restricted data, you may see a policy tip explaining the issue. Depending on the volume of sensitive data, the system may encrypt the email or block it. In some cases, you may be allowed to provide a business justification to proceed (override) when appropriate and approved by policy.
    • OneDrive and SharePoint: If a file shared with people outside Bowdoin contains restricted data, external access may be automatically blocked. You’ll receive a notification with guidance. You can still collaborate internally or remove the sensitive data before re-sharing externally.
    • Teams chats and channels: Messages or files shared with external participants that contain restricted data may be blocked from external access, and you will see a policy tip.
    • Microsoft 365 Copilot and Copilot Chat: If content labeled “Restricted” is involved, Copilot may limit or block processing to protect that data. You may receive a notice explaining that certain content cannot be used.
  3. Share safely
    • Remove sensitive data before sharing externally when possible.
    • Use “Specific people” links, not anonymous links.
    • Store sensitive files in internal-only locations; use sensitivity labels if available.
    • Read policy tips—they explain what was found and safer options.
  4. If you’re warned or blocked
    • Email: Edit or remove sensitive data; or, if allowed, provide a business justification to override.
    • OneDrive/SharePoint/Teams: Redact the file, then re-share; or share internally only.
    • Copilot: Rephrase to avoid sensitive content or use non-restricted files.
  5. Need to share but can’t
    • Redact fields (e.g., show only last four digits when appropriate).
    • Check with your supervisor for approved secure methods.
    • Overrides (if offered) require a clear business reason and are audited.
  6. Get help
    • Contact the IT Service Desk. Include the file name, location (OneDrive/SharePoint/Teams/Email), intended external recipient, and what you were trying to do. Do not include the sensitive data itself.

Details

Details

Article ID: 169791
Created
Thu 11/20/25 10:40 AM
Modified
Fri 11/21/25 9:35 AM

Related Articles

Related Articles (2)

Add or Change Sensitivity Labels for Files and Teams in Microsoft 365
Bowdoin Microsoft 365 sensitivity labels classify and protect content by adding visual markings, restricting actions (open/edit/print/forward), and controlling privacy, external sharing, and device access across OneDrive, SharePoint, and Teams.
Data Classification Policy