Storing
A performer must keep records safely and securely (Principle (f) - General Data Protection Regulation). Keeping them securely also means that they're kept confidential (employed staff who have been instructed on your security policy are exempt).
Access to the records by others must only be given if necessary, and with necessary and appropriate safeguards. The performer is expected to make, and be able to demonstrate, an assessment of risk in deciding on appropriate security measures.
Disposing
The Information Commissioner's Office gives detailed and useful guidance on security measures and how to safely to destroy records, in particular computer records which, though deleted, often remain accessible.