This is one of the core problems with any surveillance/data-collection programs - sensitive data will get out or be misused. Whether its a genuine mistake, insufficient oversight, poor education, bad practices, malicious intent or self-serving individuals, it will happen.
The best way to prevent this is just to make sure the information is not recorded in the first place.
That's not overly helpful so in practice you must restrict the data to ONLY what is needed. This is achieved by careful selection of what data is collected and then applying ruthlessly strict controls over who can access what and when, coupled with all-pervading oversight and enforced punishments for any lapses.
The biggest issue and the reason this discussion keeps getting bogged-down is that those who want this retention are unwilling to be honest and upfront about the risks. In their rhetoric, there are no risks - everything is completely safe, locked-down and no one has any cause to worry.
The truth, however, is that the more information they have access to and the more easily they can access that information, the higher the risk to the public. Once that is admitted and out in the open, we can all have a honest discussion about how much risk we want to accept.
But of course there is no interest in having an open conversation with the public.