"It would help if you could explain what you mean by confidentiality breaches. Do you mean unauthorised accesses ?"

No, I think what JOeuf means is the (likely unique) case whereby data are recorded in a GxP system which identify a Participant and the data should never have been recorded in the first place (e.g., breaks EU GDPR laws). In such a case there should be a process to expunge the actual identifying data, since leaving teh original data in teh audit trail would not satisfy the relevant privacy law(s).