You have a number of options. You can look at built in encryption for TSM at layer 7; you can look at VPN for layer 3 encryption which works with layer 7, and you can look at 3rd party encryption which is executed via pre/post scheduled command or at the file system level.
TSM authentication is encrypted, rotating, does not pass a password across the network for authentication and is mutually suspicious. There is a good article written regarding this at MIT. This ensures the two endpoints; client and server are encrypted and secure with rotating encrypted passwords. In addition to endpoints you need to secure the data stream at the network level and the data storage on the storage device itself; namely the tape or disk upon which the data is stored.
As part of security you will need to ensure successful backups and that failures don't exceed a certain threshold in order to meet compliance standards. To achieve this you can use a number of 3rd party reporting tools to make sure your backups meet certain standards which are advertised on this website (Servergraph, ******** etc). These standards include:
Sarbanes Oxley (known as SOX) -
http://en.wikipedia.org/wiki/Sarbanes-Oxley_Act
HIPPA, which is more geared to health sciences.
http://en.wikipedia.org/wiki/HIPAA
Etc.
There's a few of them that monitor your compliance to all 4 major standards.
If you achieve the levels dictated by these standards (the reporting and monitoring will let you know this, or how close you are to it) coupled with a secure network (either dedicated private network to network (point to point) or VPN) with application layer security (either built in to TSM or 3rd party invoked, file system level or otherwise), end point security, facility security etc, you should meet any criteria out there from a TSM perspective.
Removing the data would be done by expiration policy, or you can simply delete filespaces which are TSM containers (volumes) which hold file system data. If you tried to view the tape manually you would see file spaces; inside these file spaces would be encrypted gobblygoup and only the proper decryption could make sense of the mess after a TSM restore.
The end points would be secure, the network segment (VPN) would also be encrypted so sniffing or 'packet sequencing' would also produce indecipherable garbage and be useless.
Consult with a Cisco engineer to determine a strong VPN encryption method which measures up to DOD standards but be aware encryption adds cycles and will slow down the speed of your backups.
I hope that helps.