Implementing Data Encryption

Taking a step back from the technical discussions (hence the new thread), I wanted to discuss policy/practice for a moment, i.e. how are people planning on actually implementing a new data handling policy to cover encryption of pen drives, etc?

How are you "selling" it to staff?

Are you using whole drive encryption, and if so how will you prevent use of non-encrypted drives without impacting upon students? Alternatively, are you making file-level encryption available and encouraging people to use it, and if so how do you ensure this is happening?

Is it sufficient to provide a method of encryption (but not force its use) and educate users in appropriate data handling, or are we legally required to do more than that?

Also, why are we actually bothering, since loads of this "sensitive" information is collated into end-of-year reports which are printed and sent out in the post?!

Misuse or mishandling of sensitive information is an automatic disciplinary offense here. It's in the LEA security policy..