Customer consent for Centrelink Confirmation eService (CCeS) 101-09010030

Centrelink Confirmation eServices (CCeS) is a secure online service that provides an efficient and effective method for businesses to confirm a customer's entitlement to a concession, rebate or service it provides to Services Australia and Department of Veterans' Affairs (DVA) customers.

Businesses must apply and be approved by the agency to use CCeS.

Once approved, customers can provide their consent to a business to confirm their entitlement to a concession, rebate or service using CCeS. Businesses cannot use the service without customer consent. The business must verify the identity of the customer prior to obtaining consent and before using CCeS.

In accordance with the Privacy Act 1988, it is mandatory for a business to obtain consent from the customer prior to enquiring into their details and concession entitlement.

The customer’s consent is the legal basis to allow:

• the business to make enquiries into the customer's details through Services Australia so it can assess the customer’s concession entitlement.
• Services Australia to disclose the customer’s details to the business.

Customer consent is voluntary and customers may withdraw their consent at any time without having to give any reason to the business or the agency.

Businesses can obtain customer consent in writing, verbally or electronically. When obtaining consent, businesses must use wording substantially in a form as notified by the agency, or otherwise contained in the CCeS procedural guide. An example of the standard consent wording and consent requirements is available in the CCeS procedural guide.

A record of the customer consent must be maintained by the business for the agency's verification, should this be required.

Confirming the identity of the customer

As outlined in the CCeS Policy, a business must confirm the identity of the customer before obtaining consent. The customer identification process must use information provided by the customer, not simply verified by them. In other words, businesses should not send pre-populated forms to the customer to sign.

Additional person consent

Businesses must collect consent from each individual customer before they access their personal information. If eligibility for a concession, rebate or service is based on the confirmed information of multiple customers (for example, all household members listed on a housing application, or parental income for a student application) each customer must provide their own informed consent for the business to use CCeS.

Disclosure of customer information

There may be situations where a business must provide customer information from CCeS to a third party. For example, where they provide a concession on behalf of a second business and are being audited. This secondary disclosure is only permitted if the customer provides their consent (in the consent record) to have their information disclosed to the third party for the secondary purpose. See the CCeS procedural guide for the extra wording that must be included in the consent record when disclosing information to a third party.

Businesses can collect customer consent in writing, verbally or electronically.

When obtaining consent, businesses must use wording substantially in a form as notified by the agency, or otherwise contained in the CCeS procedural guide. An example of the standard consent wording and consent requirements is available in the CCeS procedural guide.

A record of the customer consent must be maintained by the business for 2 years after the customer ceases to be a customer and supplied to the agency if requested.

Written consent

The customer can complete and sign a paper form to show they give their consent. They can sign it using a ‘wet ink’ signature (physically sign with a pen).

Verbal consent

When a customer provides their consent verbally a business must:

• read the consent script to the customer
• obtain and record the customer’s verbal agreement
• create a consent record at the same time they get consent from the customer. This must include the words used to get consent

The consent record containing the verbal consent must include all of these:

• the date, time and location that the business obtained the consent
• the method of consent, for example over the phone or in person
• the name of the staff member of the business getting the consent, and
• the method used to confirm the identity of the customer

Electronic consent

A customer may provide their consent electronically in processes using:

• an online application or workflow (known as online consent)
• a digital or electronic signature in a document that is emailed to the business or lodged through an online portal. See Digital and electronic signatures for more details

When consent is collected electronically a business needs to:

• be able to verify that the customer has satisfied identity checks before obtaining consent for that customer
• be able to easily extract the consent record from their system, or store it in the customer’s file
• include a date stamp or date of online completion or submission for the consent record. They may also need to include the customer’s email address, IP address or portal user name depending on how they collected the consent
• provide screenshots of their online consent record to the agency for review. These should be referred to the CCeS program team for review who will ensure it meets all requirements
• include the additional consent wording set out in the CCeS procedural guide if the consent record is signed with a digital or electronic signature

Businesses can be asked to provide a customer journey map to show their consent collection processes for CCeS. See the Resources page for a customer journey map template that can be sent to businesses to complete.

A digital signature is a type of electronic signature with an encrypted protection of authentication on digital information, which is generally supported by specific software that enables digital signature capability. Examples include:

• a self-certified or self-signed signature, or
• a Certificate Authority-certified digital signature

An electronic signature is a representation of a person’s name or mark in a document or communication by electronic means, to identify the person and indicate the person’s intention to put their name against the document in question. Examples include a:

• typed name
• typed name with the appearance of a ‘wet ink’ signature
• digitised image of the customer’s actual ‘wet ink’ signature
• signature using a stylus on a touchscreen

Businesses that collect consent using digital or electronic signatures must be able to store and retrieve an auditable trail of consent receipt.

There is also additional consent wording required in the consent record. Refer to the CCeS procedural guide for the additional wording.

Audit trail requirements

A range of digital and electronic signatures are deemed to meet requirements as long as there is an auditable trail of consent receipt (and identity and consent standards are also met.). It is important to set clear standards for an auditable trail for each consent channel.

Email

If a business is accepting electronically signed consent by email, they should save the email and attachments in a secure and auditable system.

As a minimum the record will need to show the date and time the email was sent to the business and the customer’s email address.

Online portal

If a business receives electronically signed consent documents through an online portal there should be a digital audit trail of document submission with date and time and either the customer’s email address, IP address or portal username. There also needs to be evidence of a proper customer identity authentication process.

These standards refer to when electronically signed consent forms are submitted through a portal, not when consent is provided through an online flow (or online consent).

Other

The agency will not accept electronically signed consent forms submitted by mail (that is, electronically signed, then printed and posted to the business). Consent records posted to the business must be signed with a ‘wet-ink’ signature.

See the Resources page for a digital and electronic signature checklist.

When a customer has given their consent for a business to verify their details and concession entitlements using CCeS, there is no requirement to update the Centrelink record unless consent has previously been withdrawn.

A customer who has given consent for a business to enquire about their details and concession entitlements via CCeS, can withdraw their consent at any time. Customers do not need a reason to withdraw their consent. To withdraw consent, customers should notify the business that they have withdrawn their consent for the business to use CCeS to confirm the customer's concession entitlement.

If a customer does not wish to contact the business to withdraw their consent, the customer can then notify Services Australia either verbally or in writing to block the business' access. The customer will need to provide the full name of the business to the agency to do this.

The customer can choose to withdraw their consent with one business or a number of businesses where consent has previously been granted.

Where a CCeS business notifies the agency that its ownership or operations are being transferred to a new or different business, and that new business wishes to continue to provide customers with the concession, rebate or service provided by the business, the agency may:

• allow customer consent to be transferred to the new business
• decide that customer consent must not be transferred. This means the business must obtain new consent from each customer before it can use CCeS to confirm concessional entitlement

The new business must also be approved to use CCeS or apply if required.

Requests to transfer customer consent must be made in writing from an authorised officer of the business. A Program Manager from the Third Party Programs team will assess the request and make a decision to approve or reject it.

If the agency agrees to the transfer of consent, businesses must comply with the requirements outlined in the CCeS Policy. This includes writing to all impacted customers, at least 14 days before the transfer of business operations, to notify customers that:

• the new business will be providing the concession, rebate or service to customers from a specific date
• the new business will continue to use the customer’s consent, previously obtained by the old business, to use CCeS to obtain information from the agency to confirm customer eligibility for the concession, rebate or service, and
• if the customer does not consent to the new business obtaining information from the agency, they may tell the old business that their consent is withdrawn. When this happens, the business must notify the new business that the customer’s consent is withdrawn.

The agency has developed standard wording for businesses to use in communications to their customers, see the Resources page.

The new business will also need to be able to provide evidence of the transfer of customer consent for an individual customer if the agency requests this during a compliance review or investigation of a customer complaint.