Information security and privacy are very important to TJX. We have many protocols in place that are designed to help protect the security of our customers’ personal information. The Privacy pages on our retail
brand websites describe our privacy policies pertaining to the personal information we collect about our customers.
For many years, we have maintained an Information Management Program, led by our Chief Risk and Compliance Officer (CCO) and Information Risk Management Director. This program is overseen by TJX’s Information
Management Steering Committee, which meets regularly and includes a number of senior leaders, including the Data Protection Officer, Chief Information Security Officer (CISO), and Director of Internal Audit.
This Committee is responsible for developing and overseeing strategies to help TJX’s Information Management Program enhance the overall privacy, information security, and records management posture of
TJX. Our CCO and CISO regularly report to the Audit Committee of our Board of Directors.
Our Information Management Program incorporates several components, including:
Privacy: Our privacy policies address the types of personal information we collect from customers, how we may use that information, with whom we share that information, how we protect that information,
and how individuals can exercise their rights in regards to their personal information. We don’t generate revenue by selling personal information.
Information Security: While cyber threats are constantly evolving and no retailer can guarantee perfect security, we have a multi-faceted approach designed to reduce the risk of unauthorized access
to the personal information that we collect from customers. This approach includes measures like encryption for certain types of personal information, controls over access to TJX facilities and systems, along
with other threat and risk-based safeguards.
Records Management: Our records management program consists of policies, guidelines, and practices designed to promote both the retention of company records to meet legal and business requirements
and the timely deletion of records and other documents, with particular emphasis on minimizing the retention of personal information where appropriate.
In addition to these components, we perform selected audits and make training available to appropriate TJX Associates.
Audits: Our Internal Audit team performs audits that address compliance with TJX information security policies and, along with other teams, reviews certain third-party service providers with respect
to their security practices concerning personal information.
Associate Training: Privacy and Information Security training is made available to appropriate TJX Associates and is tailored to their job functions. This training is often supplemented with other
education, communications, and an internal Information Management website, all designed to help our Associates understand our expectations in this important area.