Enforcing desired level of confidentiality of specific data takes preventing unauthorised people from tampering with the data. It boils down to separating sensitive assets from people who have not been granted access to them. The proper separation needs actions on both, assets and people.
The assets should be divided depending on their sensitivity (particularly confidentiality). And by divided I mean physically separated, so no-one with no proper clearance is allowed to access the location.
Equally important is to properly manage staff's access rights. Clearances should be given only to people properly screened before, so trustworthy enough (it's hard to put it less precise, I know) and only on the "need to know" or "need to have" basis.
And to complete the picture special emergency (fire, etc.) procedures for restricted zones should be developed, so that neither unauthorised people are able to access sensitive locations nor people evacuating from restricted areas are able to mix with them. It considerably improves both, access control and user accountability.
Pretty obvious, but... you know how it is.