spec: Clarify expected process around handling of Confirmation Codes

Suggested-by: David Spence <[email protected]>
Signed-off-by: Michael Brown <[email protected]>

spec/cx.lyx

@@ -3914,6 +3914,14 @@ An SMS message sent to the patient containing a link that is recognised
 A QR code that is scanned by the patient
 \end_layout
 
+\begin_layout Standard
+A Confirmation Code is essentially an authorisation token that grants permission
+ for the holder of the token to create a Notification at an Alert Level
+ selected by the Publisher.
+ A Publisher MUST implement processes to ensure that only appropriately
+ authorised personnel are able to issue and access new Confirmation Codes.
+\end_layout
+
 \begin_layout Standard
 An Advertiser MUST provide a capability for the user to interactively enter
  an arbitrary UTF-8 string as the Confirmation Code, and MAY provide other