The organization under analysis is the New York public library. In this organization, security issues are taken into account as the library gather and keep personal data of users and their personal information. The New York public library consists of several branches and departments; it has regional branches and has more than 43,975,362 items. The library computerized its lending services in order to improve customer service and improve its routine work.
The security program is aimed to protect users from unauthorized access to their information and protect library from attacks. Beyond that, however, all staff-especially those who deal with personal data regularly-need to be aware of what they are allowed to do, what they are not allowed to do, what security procedures they are expected to follow, and whom to ask if they are in any doubt. There must be policies spelling out what is expected, opportunities for staff to know what those policies are and what procedures are required to implement them, and regular checks on whether the policies and procedures are being followed (Data Security and Protection 2008).
The security program was implemented 5 years ago. It is supposed that the biggest risk to security is almost always staff. The damage they do can be deliberate-stealing information about people, such as business contacts they want to use for their own purposes, for example, or trashing the database out of frustration on being demoted. More often it is un-thinking or inadvertent-giving information over the telephone to someone who shouldn't have it, leaving confidential files on their kitchen table for a neighbour to see when they are working at home, or chatting in the canteen about a user's borrowing habits where other people can overhear. Even with external threats, the accepted wisdom is that anyone trying to gain access is more likely to succeed by tricking staff into giving away vital information than by hacking straight into computer (Data Security and Protection 2008). The first line of defense is therefore to ensure that staff are aware of the possibilities and operate within a culture where information, and especially personal data, is handled carefully and responsibly. To support them, employees should take measures that make it as easy as possible for them to do the right thing. At the same time employees should not be over-anxious. Security measures must be appropriate to the threat, not 100% perfect every time. (Even government security agencies have been known to lose vital information held on laptop computers.) The kind of things the responsible person at the departmental level should be looking at include (Baschab et al 2007; The New York Public Library 2008).
In the New York public library, one area that often gives rise to concern is e-mail. Although the dangers can be exaggerated, it is important to be aware that e-mail is inherently insecure. E-mails themselves may constitute personal data if the addressee is identifiable. More importantly, if e-mail is used for sending personal data to other people, some thought should be given as to whether it should be encrypted. A special attention is given to the information department of a charity. A new computer system is introduced for holding details of telephone enquiries, which