It's not illegal if the government does it. Right?
In this case I think that is literally true. The CP laws in the UK have an exemption for those with a legal reason to possess or create the stuff (making a copy counts as "creation"). It was intended for lawyers and policemen who have to handle CP in the course of prosecutions, but it looks to me like it would be pretty trivial to extend it to the normal operation of full body scanners, just by having the home office declare this to be the case.
Besides, a nude image of a child is not necessarily CP. The key word is "indecent", which in this context has its normal dictionary meaning of "not generally acceptable". This means that the context matters as much the image itself. I seem to recall a case where a collection of cuttings from the underwear sections of child clothing catalogues was found to be indecent, even though none of the source catalogues were. Similarly a collection of scanner images made in the normal course of someone's work would be OK, but if some employee excerpted just the images of children then that would probably be indecent.
Of course, IANAL.
Extreme Associates was the subject of a PBS Frontline documentary entitled "American Porn,"
I suspect this is the real reason they went to prison. You can enjoy your odd habits, as long as you keep them out of sight. Its telling other people about it that is the real crime.
It sounds like this is a knee-jerk reaction to all those "data-loss" stories. Encrypting *everything* is probably the wrong answer. Start by deciding what the goals are. Then look for the answers that meet those goals in the most cost-effective manner. Security is not a product, its an emergent property of the entire system, including the people who use it. If you don't tackle it in a system-wide manner then you haven't a hope.
* Goals: what are you trying to protect? (Confidential data, presumably).
* How might it leak out? (Lost mobile devices, trashed hard drives, posted CDs, angry/corrupt/public-spirited employees all spring to mind).
* Who does the data have to be shared with? Do they have similar polices? Are they enforced?
* How can you prevent leaks? Depends on the problem. Declaring an "everything encrypted" policy probably won't help much, because you can't stop someone bringing their own unencrypted thumb drive in and stuffing data on to it. Also its not cost-effective to encrypt ordinary applications. Its user data you need to encrypt.
So you have to start with an education job. Get the senior management to see that this policy is not going to fix their problem, then show them something more intelligent.
Windows is probably not capable of supporting a complex security policy. But SE Linux might. If you declared that all mobile devices (laptops, thumb drives, PDAs, mobile phones) must not have sensitive data unencrypted, then put a SE-Linux policy in that divides directories into "sensitive" and "unrestricted", and won't let data move from sensitive to unrestricted without passing through an approved encryption process. That will help stop dumb accidents, but it won't stop deliberate leaks, and it won't stop someone writing the key on a post-it note on the CD.
I don't know how to set up something like this in SE-Linux: you are likely to need a guru for that.
I seem to recall that in the US terms of service have been found to define "authorised access" to a computer, and access outside of the TOS is therefore unauthorised. That puts you in direct violation of US anti-cracker laws about unauthorised access to a computer. If more than $5,000 worth of "damage" is caused (including investigation and cleanup costs) then it carries a maximum of 5 years in the pen. If its done for gain (as in this case) then thats 10 years.