What your obligations are

You must comply with the Centrelink Confirmation eServices (CCeS) policy, terms, the procedural guide and any additional conditions on your approval.

We review all businesses using Centrelink Confirmation eServices (CCeS) to check you are doing the right thing. Your obligations for CCeS include:

  • getting customer consent
  • confirming the identity of the person giving consent
  • managing staff access in Business Hub
  • telling us about changes to your business
  • privacy
  • security.

Customer consent

You must get a customer’s consent before you use CCeS to access their personal information. Consent is voluntary and they can decline or withdraw at any time. Your business must have other ways or processes to confirm a customer’s eligibility to a concession if they don’t give you consent to use CCeS.

You can get consent in writing, verbally or using online processes. You can find more information about consent requirements in the CCeS procedural guide.

Customer consent is ongoing until the customer withdraws it or is no longer your customer.

You must meet all the following:

  • have a current valid consent to use CCeS for each customer
  • make sure you confirm the identity of the person giving consent when you get consent and before you use CCeS
  • keep consent records for 2 years from the last time you gave your customer a concession, rebate, or service
  • use the standard consent wording in the CCeS procedural guide in your customer consent records.

Confirming identity

You must confirm the identity of the customer or their representative if they have one, when getting consent and before using CCeS.

You must use reliable and secure methods to verify identification. You can find more information in the CCeS procedural guide.

Staff access

You must train new staff in all aspects of using CCeS before they access it.

It’s important staff only use their own logon ID and password. Don’t share logon IDs and passwords. We consider sharing to be a breach of your contract with us.

In Business Hub, Authorised officers and Access Managers of your business are responsible for managing changes to your staff’s access. This includes adding, removing or updating staff access.

You must immediately remove access for any staff that no longer need access to CCeS.

If your business has staff who will access CCeS from a location outside of Australia, you must tell us. We’ll need information about the arrangement before we approve access to CCeS to anyone outside of Australia.

Business changes

Tell us about changes to your business. This includes changes to your:

  • business structure or practices
  • Australian Business Number or Australian Company Number
  • business or trading name
  • address details.

Privacy and security

You must comply with privacy and secrecy legislation for personal, protected and confidential information.

You must tell us of any security incidents such as unauthorised disclosure.

You must store customer details in a locked cabinet or secure database. You’ll need to provide consent records to us if we ask to see them.

This means you can’t:

  • access any customer information without a business need
  • use the customer’s Customer Reference Number (CRN) for any purpose other than for CCeS data exchange
  • share customer information without their consent
  • access your own information or the information of people you know
  • allow access to information to any unauthorised person.

More information

Find all your obligations in the CCeS policy, CCeS terms and CCeS procedural guide.

Page last updated: 26 June 2026.
QC 65907