Atala PRISM hasn’t been released to the public yet, hence there is no information on its implementation that I am aware of. (If anyone reads this and I’m wrong, please point me in the direction, I would love to learn).
The best guess/speculation is by reading the W3C DID specification. I did a brief run down here - Atala Prism Expiring Credentials and Revocation
But looking back on that I don’t think that is 100% correct. It was a late night session learning binge 
Based on my best guess (so please don’t take this as confirmed), here is what I think:
-
What data you put on the blockchain will be up to the application. You could easily put readable metadata on there, or have it encrypted. But any sensitive information itself I don’t think should be kept on the blockchain. It is public after all and even if encrypted, if the encryption is broken at a later date, you can’t remove it. Normally the DID’s are used as verification of identity, which can then be used as authentication to pull information from certain providers servers. Hence the bulk of the data won’t live on the blockchain.
-
If private keys are lost, from what I understand you start again. Get a new wallet and then get everything reissued and your old credentials are canceled. I remember reading somewhere (please don’t quote me on this), that they were looking at ways for wallet recovery by having numerous backup people. Sort of like a backup recovery email but with multiple people. However it was more in the conception phase and not actually undergoing any implementation.