Before tackling the digital aspect of data storage it is essential to discuss the basic legal principles outside of digital constraints. The main statute for this is the Data Protection Act (DPA) of 1988.
There are essentially 8 basic principles, which stipulate how information described as personal should be managed. This essay will only observe those principles referred to in the question.
The first of which is security for which the Act dictates that all personal data must be kept under tight controls and protected from unauthorized access. As such technical measures such as password encryption and backup contingencies are strongly advised. Furthermore, adopting security policies and restricting staff access to sensitive data is a DPA pre-requisite.
The DPA also tackles the issue of privacy referring to the handling of 'sensitive' or 'personal' data. This relates to the context of the employee/employer relationship. Thus the data controller (i.e. employer) has to take particular care when handling personal data to ensure it does not discriminate on the grounds of race, gender, age or disability.
Similarly the processing of staff medical records would also be considered 'sensitive' and therefore required under the Act to be handled by a health professional or one working under an equivalent duty of confidence (i.e. occupational doctor).
The disclosure of information to third parties is also a major principle in the Act under what is termed 'lawful processing'. Accordingly the forwarding of personal data to third parties must only take place with the prior approval of the original data subject. Thus a banking corporation may not forward their client details to third parties for marketing purposes without ones consent. Similarly recipients of such information must be certain they have the approval of the data subject before making use of the information for marketing or any other purpose.