Zero: Describe the system (briefly!). As in: I’m going to talk about the _____ system, which does this, that and the other thing.
First: When we talk about confidentiality, we’re talking about unauthorized access to information. That means there is (or at least probably is) authorized access to information. For your system, what roles or people are there with authorized access – and what information can they see or use. Is there anything special about their roles or their level of access? Are there exceptions?
Second: What (briefly) is the worst possible scenario you can think of for a confidentiality failure/breach? What repercussions or impacts are there?
Third: How – in technical or other terms – could (or can) you improve the security of the situation? What measures or technologies would make sense? Why?