1. The role of law in security management
ISO 27001:2005 (as also former BS 7799-2) demands organizations to identify the laws and contracts that may pose constraints or requirements to security management. Organizations in their chore to enhance the protection of its information capital may be confronted with decisions involving security measures, which may interfered with rights of individuals or organizations safeguarded by law and contracts.

To depict this assertion, we may ponder the following decisions:

- Can an organization use video cameras to observe their employee’s security posture?
- Can an organization access personal e-mails of an worker?
- If an organization decides to save and process biometric data, it there any particular requisite?
- Are new employees in an organization compliant to their existing security regulations?

These are some of the interrogations, which in some cases, may lead decision makers to quandary judgments regarding legalities.

Next, we are going to present some legal requirements derived from laws as the Labour Code (Código do Trabalho) and then specify some particular questions related to this law.

2. Some laws with influence in security management
Security management, in the context of an organizations functioning under the Portuguese legal framework, must be conformed to a group of legal requisites. As result of a preliminary effort, we may recognize the following sources of compliance:

a. Inform employees of security norms to make them legally accountable under the Portuguese labour legislation (Código do Trabalho - Law n. 99/2003 of 27 of August).

b. Protect the privacy of personal information according to (1) European Commission’s Data Privacy Directive (Directive 95/46/EC), (2) Portuguese Data Privacy Law (Lei de Protecção de Dados Pessoais, law number 67/98 from 26th October) and (3) Rulings from the Portuguese National Committee of Data Protection (Comissão Nacional de Protecção de Dados).

c. Protect software rights according to Portuguese legislation on software licensing (1) Código dos Direitos de Autor e dos Direitos Conexos - law number 144/91, (2) Regime de Protecção Jurídica das Bases de Dados - law number 252/94 and (3) Protecção Jurídica das Bases de Dados - law number 122/00).

d. In case of security violation apply the (1) European Convention on Cyber crime and (2) Portuguese Informatics Criminal Law (Lei da Criminalidade Informática, law number 109/91 from 17th August).

e. Comply with other applicable Portuguese legislation.

f. Comply with applicable rulings from the Portuguese National Forum of Data Protection (Comissão Nacional de Protecção de Dados).

g. Storage of all documents concerning accounting (Código das Sociedades Comerciais)

3. Some questions regulated by the Labour Code (Código do Trabalho)
As a significant part of managing security is, actually nothing more than, managing people, security management is heavily dependent on human resource legislation.

In Portugal labour legislation is based on (1) the Labour Code, Código do Trabalho Law n. 99/2003 of 27 of August identified by CT in the text and (2) its special legislation, Legislação Especial do Código do Trabalho, Law n. 35/2004 of 29 of July, identified by LECT in the text.

May the organization employ video-surveillance to watch their employee’s work performance?
No. According to art. 20 of the CT, video-surveillance can sonly be used, in work premises, due to security reasons concerning assets and people. Furthermore, this situation requires specific authorization of the National Committee of Data Protection (art. 28º1 of the LECT).


Can the organization access emails with personal content?
No. The worker has the right to his privacy. The Labour Code recognizes the right of reserve and confidentiality (direito de reserva e confidencialidade) of workers regarding the content of electronic messages and personal information (art. 21º1 of the CT). Nevertheless, the organization may define usage rules of communication devices (art. 21º2 of the CT) and verifies its application, employing non-intrusive means (more details at CNPD site).

Are employees in an organization compliant to accept security regulations?
The Labour Code stipulates that employees, during the first 21 working days, after the presentation of new regulations may oppose to them by writing. If nothing is presented during this period of time, it is acknowledged that the worker has tacitly accepted those (art. 95º of the CT).

The organization has the duty to inform employees about their working conditions and applicable internal regulations (art. 97 of the CT). Therefore, new regulations must be communicated to employees and the organization must maintain records of signed declarations to prove that the employees were – in fact - informed.

Are new employees compliant to accept security regulations?
New employees also enjoy of the same 21 working days period to present written opposition to regulations. This period for new employees starts with the commencement of the the labour delivery.

The organizations must inform the worker of the existing regulations, during the subsequent 60 days after the commencement of the labour delivery (and not from contract formulation) (art. 99.4 of the CT).

4. Conclusions
Organizations to ensure compliance of security management with the legal and contractual requirements must clearly (1) enumerate the list of applicable laws and contracts and then (2) analyse the legal implications of any security measure.

The first task – identifying legal constraints – should be done in an ongoing manner, due to mutable nature of laws (new laws are enacted every day).

The ultimate task - legal assessments - can be done during the implementation of the Information Security Management System (ISMS) and should be done for every new proposed measure.

In sum, under the aegis of ISO 27001:2005 (the standard that defines security management) organizations should seek legal counselling to assist them in the verification of legal compliance.