Canadian Tire

Privacy & Data Security

Our Commitment

We are committed to protecting and building the trust that Canadians have in our use and protection of data.

We believe the trust Canadians have in our brand is our competitive advantage. This trust extends to our use of data, analytics and technology, especially as we increasingly invest in these areas to deliver on our Better Connected strategy of enhancing the omnichannel customer experience.

Our business increasingly uses data, analytics and technology to provide Canadians with improved customer experiences, including products and services they need and want, and convenient and customized offers. We curate analytics-informed offerings that are designed to save customers time, effort and money all while improving our operational efficiencies. Our conduct is firmly anchored in a priority that has been a part of CTC since its beginning: earning and safeguarding customer trust. In this case, we do so by investing in people, processes and technology to protect customers’ personal information and our Company’s digital assets.

Organizations, including CTC, are legally bound to treat personal information with care and inform people about how they are collecting, using, sharing and protecting this data. Canadians expect to be given choices and retain control over how their personal information is being used. CTC has a long and successful history of managing the sensitive data of millions of Canadians through our Canadian Tire Bank and continues to do so across all areas of the enterprise. This legacy of privacy and security is infused in all of CTC’s operations, and as we focus even more on data-driven solutions in our businesses, we will seek best-in-class technologies and practices to meet customer expectations.

Risks and responsibilities related to data privacy, the ethical use of data and the management and security of that data extend to our employee, supplier and corporate information, especially as it concerns our stewardship of data at Canadian Tire Bank. As governments consider increasing regulation relating to these matters, the investments we are making to further prioritize customer trust in our data collection and storage practices will support both compliance and disclosure. We believe that our data use and protection policies and practices help mitigate risks and contribute to upholding the brand trust that so many Canadians have placed in us.

We Are Here to Make Life in Canada Better by ethically and responsibly leveraging the power of technology and data to provide Canadians with superior customer and workplace experiences.

Our Approach


Promoting a culture and awareness of trust, transparency and privacy

At CTC, we believe few things are more important than the trust we have fostered with Canadians for over 100 years. Our privacy program, overseen by our Chief Privacy Officer, seeks to build on this legacy as our business, customers and communities evolve. We do this through a comprehensive data privacy program that is centred on trust and transparency, while also working together with the Company’s cyber security program to ensure that any data we receive is sufficiently protected.

Our privacy program is embedded in all areas of the business, working closely with the first-line recipients of data to ensure it is collected in a way that is easy to understand and transparent. Annual training for all employees is delivered to reinforce the importance of our privacy practices and ensures that an awareness and respect for privacy is at the forefront of our everyday activities. In 2022, 99.9% of our Canadian corporate employees completed this training. Additionally, we publish and honour an Employee Privacy Policy, which also covers employees of CT REIT. To learn more about how we collect, use, disclose and protect personal information from our customers, please see our Privacy Policy. Some of our subsidiaries also maintain privacy policies of their own, including CT REIT.

In 2022, CTC successfully marked another year without fines or penalties from privacy-related regulatory compliance enforcement actions. As the expectations of our customers, employees, stakeholders and regulators continue to evolve, so too will our work to iterate and improve upon our program.

Using data and analytics to drive value

CTC’s Data in Action program supports scalable, secure and centralized data technology platforms that enable data-driven insights to maximize business efficiency and provide greater value to our customers. For example, we analyze the localized demand of our customers to inform our purchasing decisions, our allocation and replenishment to stores, the offers we present and the placement of our product on our website. Customer needs, reinforced by data, are at the forefront of all our decisions.

Within the Data in Action program, we also advance our Responsible Artificial Intelligence initiatives, which serve to manage the risks and opportunities associated with artificial intelligence. Our artificial intelligence capabilities are built on a foundation of trusted and governed data that prioritizes customer privacy above all else.


Building strong cyber security practices to safeguard technology and data

We work to ensure trust is built into every customer interaction, and that includes how we protect our technology and data. CTC recognizes that cyber security is more than just a technology challenge, but a business imperative that calls upon each employee to play an important role in maintaining constant vigilance. By building a culture of cyber security awareness within the Company, along with integrated policies and standards, an embedded multi-layered set of controls and round-the-clock monitoring, we ensure that the Company remains resilient against cyberattacks.

Accountability for our cyber security program, operations and governance ultimately resides with our CEO, but is executed by our Chief Information Security Officer who is supported by our Chief Information & Technology Officer and our Enterprise Risk Committee. We are committed to continuous improvement by conducting regular reviews of our program, assessing our capabilities and controls, and informed of cyber security risks, current threats and incidents. CTC leverages the National Institute of Standards and Technology Cybersecurity Framework, providing a structured and consistent approach to managing cyber security risk, a common language and consistent measurement of our progress. This approach is designed to address key cyber security risk scenarios related to our business.

Building our cyber security culture at CTC

We have developed cyber security policies and standards that meet or exceed legal and regulatory requirements, industry standards and internal policies (e.g., data classification and retention), and our program is subject to internal, external and regulatory audits.

Our cyber security training and awareness program updates users and keeps them informed of cyber security risk, current threats and expected cyber secure behaviours.

To maintain resiliency against phishing attacks, we keep up to date on current research and conduct simulation phishing campaigns to make employees aware of phishing risks and the expected responses when faced with real phishing attempts.

CTC has a robust threat management and intelligence program that identifies cyber security threats and mitigates risks (e.g., vulnerabilities). To enhance our awareness of emerging cyber security threats, we collaborate with government, information-sharing organizations and regulatory agencies, and take part in external events to stay on top of industry trends. We continuously monitor our environment using sophisticated tools and techniques to detect, respond to and recover from potential cyber security issues. CTC’s “defence in depth” strategy provides many layers of cyber security controls, integrating people, technology and operational capabilities to establish barriers across multiple layers of defence.

As a result of our sustained commitment to cyber security, CTC did not experience any material breaches or incur any cyber security–related regulatory compliance enforcement actions in 2022. We continue to innovate and evolve our cyber security program to mitigate legacy cyber security risks and progress on our long-term cyber security strategy for the future.


  • We maintain strong cyber security leadership and talent through our recruiting and retention strategies and focus on staff skills development.
  • We use an agile operating model that enables our team to effectively adapt to changes in the threat landscape.
  • We produce risk-based cyber security performance analytics and reports to provide visibility and oversight to the CTC Enterprise Risk Committee, CTC Audit Committee, CTC Board and the Canadian Tire Bank Cross-Functional Risk Committee governing bodies.
  • We are committed to strengthening the cyber security community by sharing information with other organizations and regulatory agencies.
  • Our cyber security risk assessment process is embedded in our business, enabling the identification and communication of cyber security risks, and allowing the organization to identify, mitigate and increase visibility to third-party cyber security risks.
  • Our remote access model, which allows employees to work virtually, leverages secure solutions to facilitate safe external access into our digital business environment.
  • Our data protection capabilities are in place to identify sensitive information, facilitate protection and reduce the risk of data loss.
  • We conduct regular and extensive testing both internally and with multiple external organizations with the purpose of continuously improving our overall cyber-risk posture.

Unless otherwise indicated, information in this ESG Report is provided for the 2022 fiscal year. For further information on our approach to ESG reporting, including our Glossary, which sets out definitions of capitalized terms and acronyms that are not otherwise defined on this page, and our forward-looking information disclaimer, please click here.