Your internal track of incidents should be kept as safe as possible, and contain as little information as possible, but enough to make sure it’s actually useful to prevent from harassers attending your event.
A minimal number of people should be able to access the Spreadsheet. Make sure to share it with only specific people -- ideally only Conference Chair and Code of Conduct team should be able to access it.
When the Conference Chair or Code of Conduct team changes, the access should be removed and shared with appropriate people.
Records about incidents that only resulted in warnings should be stored for a period of 2 years only. All other reports should be stored indefinitely.
The spreadsheet should be checked frequently by the Conference Chair during the ticket registration period to make sure people who register to the conference are not banned from the conference.