Canadian Tire

Privacy & Data Security

Our Commitment

We are committed to protecting and building the trust that Canadians have in our use and protection of data.

We believe the trust Canadians have in our brand is our competitive advantage. This trust extends to our use of data, analytics and technology, especially as we increasingly invest in these areas to deliver on our Better Connected strategy of enhancing the omnichannel customer experience.

Our business increasingly utilizes data, analytics and technology to provide Canadians with improved customer experiences, including products and services they need and want, and convenient and customized offers. We engage in analytics-informed offerings that are designed to save customers time, effort and money all while improving our operational efficiencies. Our conduct is firmly anchored in a priority that has been a part of CTC since its beginning: earning and safeguarding customer trust. In this case, we do so by investing in people, processes, and technology to protect customers’ personal information and our Company’s digital assets.

Organizations, including CTC, are legally bound to treat personal information with care and inform people about how they are collecting, using, sharing and protecting this data. Canadians expect to be given choices and retain control over how their personal information is being used. CTC, through our Canadian Tire Bank subsidiary, has a long and successful history of managing the sensitive data of millions of Canadians. This tradition of keen awareness to privacy and security has been infused in all of CTC’s operations as we focus even more on data-driven solutions in our businesses. As we evolve our use of data and analytics, we will seek best-in-class technologies and practices to meet customer expectations.

Risks and responsibilities related to data privacy, the ethical use of data, and the management and security of that data extend to our employee, supplier and corporate information, especially as it concerns our stewardship of data at Canadian Tire Bank. As governments consider increasing regulation relating to these matters, the investments we are making to meet our aspiration will support both compliance and disclosure. We believe that our data use and protection policies and practices help mitigate risks and contribute to upholding the brand trust that so many Canadians have placed in us.

We Are Here to Make Life in Canada Better by ethically and responsibly leveraging the power of technology and data to provide Canadians with superior customer and workplace experiences.

Our Approach


We diligently protect personal information and are transparent with our customers

CTC maintains enterprise-wide policies, procedures, standards and guidelines to help protect the personal information of our stakeholders.

Corporately, we publish and honour an Employee Privacy Policy, which also covers employees of CT REIT, and a customer-focused Privacy Policy. These policies explain how we collect, use, and disclose, and protect personal information. We maintain clear and easily accessible policies and practices so stakeholders can find answers about how we manage their information.

We ensure that training on our risk management and cybersecurity programs are part of our employee onboarding process. Because our processes are always evolving, all employees are required to review the policies and take part in a training module annually.

CTC has also established a set of policies and standards that specifically govern our cybersecurity practices. This is based on the National Institute of Standards and Technology’s Cybersecurity Framework, regulatory requirements and other industry-standard control frameworks. Read our Cybersecurity section below for more details.

Woman using tire selection technology at Canadian Tire retail store

Using data and analytics to drive value

CTC’s Data In Action program supports scalable, secure and centralized data technology platforms that enable data-driven insights to maximize business efficiency and provide greater value to our customers. For example, we analyze the localized demand of our customers to inform our purchasing decisions, our allocation and replenishment to stores, the offers we present, and the placement of our product on our website. Customer needs, reinforced by data, are at the forefront of all of our decisions.

Within the Data In Action program, we also advance our Responsible Artificial Intelligence initiatives, which serve to manage the risks and opportunities associated with artificial intelligence. Our artificial intelligence capabilities are built on a foundation of trusted and governed data that prioritizes customer privacy above all else.


We consider cybersecurity a critical business imperative

CTC acknowledges that cybersecurity is more than just a technology challenge, but a business imperative with ultimate accountability residing with the CEO. Each senior executive plays a role in ensuring the Company maintains constant vigilance. Accountability for the cybersecurity program, operations and governance, is held by our Chief Information Security Officer who reports to and is supported by our Chief Information & Technology Officer and our Enterprise Risk Committee. Together, we are staying ahead of threats to our organization through integrated policies, an embedded multi-layered set of controls and round-the-clock monitoring.

We work to ensure trust is built into every customer interaction. How we operate is critically dependent on our technology and data, and so we ensure that our systems remain resilient against cyberattacks. In addition to cybersecurity policies that guide and govern our practices, our Information Governance team has established standards and controls related to data classification and records retention and our cybersecurity program is subject to internal, external and regulatory audits to validate control design adequacy and operating effectiveness.

We are committed to continuous improvement by conducting regular reviews of cybersecurity policies and standards, assessing our capabilities and controls, and testing our ability to respond to potential cyber threats. The National Institute of Standards and Technology Cybersecurity Framework provides CTC with a structured and consistent approach to managing cyber risk, a common language, and consistent measurement of our progress.

Through our threat management and intelligence program, we identify threats and mitigate risks (e.g., vulnerabilities) to help prevent attacks. To enhance our awareness of threats, we collaborate with government, information-sharing organizations and regulatory agencies, and take part in external events to stay on top of industry trends and tools. Our Security Information and Event Management team monitors our environment 24/7 using modern security tools and techniques to detect, respond and recover from potential cybersecurity issues. CTC’s “defence in depth” strategy provides many layers of cybersecurity controls, integrating people, technology and operational capabilities to establish variable barriers across multiple layers of defence.

The need to support the evolution of our business model and adapt to the changing operating environment has driven extensive cybersecurity transformation. To mitigate legacy cyber risks while continuing to progress on long-term and sustainable cyber risk practices for the future, we continue to execute on our multi-year cyber transformation strategy. These enhancements strengthen our resilience and shift the organization to a more deeply integrated and sustainable enterprise approach to cyber risk management. The initiatives and programs that drive this strategy are designed to address key cyber risk scenarios related to our business.

Cybersecurity Program Highlights:

  • Our cybersecurity training and awareness programs continually evolve to update users and keep them informed of cybersecurity risk, current threats, and expected cyber secure behaviors. To maintain resiliency against phishing attacks, we keep up to date on current research and update our simulation phishing program accordingly. Through the program, our employees are made aware of phishing risk and actions to take when faced with real phishing attempts.
  • We engage in extensive research on emerging and prevalent cybersecurity threats to continually increase the effectiveness of our threat intelligence program.
  • Our cybersecurity risk assessment process, which we continue to evolve, is embedded in our business, enabling the identification and communication of cybersecurity risks, and allowing the organization to make risk-based decisions.
  • We have a third-party cybersecurity risk management framework to identify, mitigate and increase visibility on third-party cybersecurity risks associated with digital crown jewels.
  • Our remote access model, which allows employees to work virtually, leverages secure solutions to ensure safe external access into our digital business environment.
  • We have data protection capabilities in place to identify sensitive information, ensure protection and reduce risk of data loss.
  • We conduct regular and extensive testing both internally and with multiple 3rd party external organizations with the purposes of continuously improving our overall posture.

Unless otherwise indicated, information in this ESG Report is provided for the 2021 fiscal year. For further information on our approach to ESG reporting, including our Glossary, which sets out definitions of capitalized terms and acronyms that are not otherwise defined in this page, and our forward-looking information disclaimer, please click here.