Data Protection aND Retention Policy

---

Business name: Christopher Phillips t/a Kit Talent
Trading name: Kit Talent
Address: Unit 40, Clarendon Court, Warrington, WA2 8QP
Email: hello@kit-talent.com
Policy version: V1.2
Effective date: March 2026
Review date: March 2027

As a youth talent agency working with children, young people, young adults, parents and guardians, Kit Talent holds a range of personal information in order to provide representation, tuition, casting support and related services. This policy explains how personal data is managed internally, how long it is retained, how it is protected, and how Kit Talent seeks to ensure compliance with UK data protection law.

The UK GDPR principles include lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, and accountability. ICO guidance makes clear that these principles should sit at the heart of an organisation’s approach to personal data.

The purpose of this policy is to:

• set out how Kit Talent handles personal data internally; 
• identify the categories of personal data that may be collected and stored; 
• explain the systems used to store and manage information; 
• set out how long different categories of information are retained; 
• ensure personal data is kept secure and only for as long as necessary; 
• explain how rights requests, corrections and data protection concerns will be handled; 

This policy applies to personal data processed by Kit Talent in connection with:

• talent representation; 
• applications and expressions of interest; 
• represented and unrepresented talent; 
• private tuition; 
• self-tape coaching; 
• audition preparation; 
• workshops and group sessions; 
• online and in-person services; 
• showcases and events; 
• casting support and submissions; 
• communications with parents, guardians and clients; 
• financial and business administration.

For the purposes of UK data protection law, the data controller is:

Christopher Phillips t/a Kit Talent
Email: hello@kit-talent.com

Kit Talent will aim to ensure that personal data is:

• processed lawfully, fairly and transparently; 
• collected for specified, explicit and legitimate purposes; 
• limited to what is necessary for those purposes; 
• kept accurate and, where necessary, up to date; 
• retained only for as long as necessary; 
• kept secure using appropriate technical and organisational measures; 
• managed in a way that demonstrates accountability. 

ICO guidance says there are no fixed universal retention periods in data protection law, but organisations must be able to justify how long they keep personal data and should not keep it “just in case.”

Depending on the service being provided, Kit Talent may hold the following categories of personal data:

Personal and contact details

• names of children, young people, young adults, parents and guardians; 
• dates of birth or ages; 
• home addresses; 
• telephone numbers; 
• email addresses. 

Representation and application records

• enquiry and application details; 
• audition and casting information; 
• Spotlight-related information; 
• CVs and performance history; 
• school year and availability information; 
• notes from calls, meetings or consultations; 
• contracts and agreements. 

Images and media

• headshots and photographs; 
• self-tapes and videos; 
• audition recordings; 
• promotional materials where relevant. 

Service and session records

• tuition information; 
• session notes where appropriate; 
• communications relating to agency work, coaching or representation. 

Financial and administrative records

• invoicing records; 
• payment records; 
• bank details for payment purposes; 
• related business administration records. 

Communications

• email correspondence; 
• WhatsApp messages with parents or guardians; 
• records submitted through online forms. 

Sensitive or higher-risk information

In limited cases, Kit Talent may also hold more sensitive information where relevant and necessary, including:

• disability or access information; 
• health information relevant to participation or support; 
• safeguarding-related information; 
• other special category or sensitive information disclosed in the course of services. 

The ICO explains that special category data is more sensitive and requires extra protection, including both an Article 6 lawful basis and an additional Article 9 condition where applicable. 

Kit Talent may collect personal data through:

• website application or enquiry forms; 
• forms that feed directly into the secure Tagmin system provided by Spotlight; 
• direct email communication; 
• WhatsApp communication with parents or guardians; 
• information shared during calls, meetings, auditions or tuition; 
• documents, photographs, videos and self-tapes submitted by clients or applicants; 
• information received in relation to castings, submissions or professional opportunities.

Kit Talent stores and manages information primarily using the secure Tagmin system provided by Spotlight.

Personal data may also be accessible through:

• password-protected devices used to access business systems; 
• email systems; 
• WhatsApp communications with parents or guardians, where relevant to services. 

Kit Talent does not keep paper records as part of its normal operations.

Personal data will only be shared where there is a legitimate reason to do so and where it is appropriate, relevant and lawful.

Depending on the circumstances, Kit Talent may share personal data with:

• casting platforms such as Spotlight; 
• casting directors, production companies or production contacts; 
• parents or guardians; 
• tutors or coaches involved in supporting a client; 
• accountants or bookkeepers; 
• IT, software, storage or cloud service providers; 
• legal or professional advisers; 
• safeguarding authorities, local authorities, police or other agencies where required for safeguarding or legal reasons. 

Information sharing will be limited to what is necessary for the relevant purpose.

Kit Talent takes appropriate steps to protect personal data from loss, misuse, unauthorised access, alteration or disclosure.

These measures include:

• use of a secure digital management system; 
• password-protected devices; 
• two-factor authentication where available; 
• limited access to data, as Kit Talent is operated by a sole trader; 
• no routine use of paper records; 
• secure deletion or removal of data when no longer needed. 

The ICO states that the UK GDPR security principle requires organisations to use appropriate technical and organisational measures to keep personal data secure. 

Where Kit Talent processes special category data, health information, access information or safeguarding-related records, it will do so only where necessary and with appropriate care.

Such information will be:

• handled sensitively; 
• limited to what is genuinely needed; 
• accessed only where necessary; 
• retained only as long as justified; 
• shared only where appropriate and lawful. 

Where safeguarding information is processed, the welfare of the child or young person will remain the primary consideration.

Kit Talent will take reasonable steps to ensure personal data is accurate and kept up to date.

Parents, guardians, young adults and clients are encouraged to update personal details on Tagmin and Spotlight regularily, and notify Kit Talent if contact details, representation information, availability, photographs, bank details, access needs or other relevant information changes.

Outdated information should be updated or removed where appropriate.

Kit Talent will not keep personal data for longer than necessary. The ICO’s storage limitation guidance says personal data should be retained only for as long as needed for the purpose for which it was collected. 

Retention periods may vary depending on the type of data, the purpose for which it is held, legal obligations, safeguarding considerations, accounting requirements, and whether an ongoing professional relationship exists.

Where data is no longer required, it will be securely deleted or removed from active use.

General enquiries

General enquiries will normally be retained for 12 months from the date of the last meaningful contact, after which they will usually be deleted unless there is a continuing reason to retain them.

Unsuccessful applications

Information relating to unsuccessful applications will normally be retained for 6 months, after which it will usually be deleted unless there is a legitimate reason to retain it for longer.

Represented clients' core records

Core records relating to represented clients will normally be retained for the duration of representation plus 6 years, unless a longer period is required for legal, contractual, financial or safeguarding reasons.

Financial records and invoices

Financial records, payment records and invoices will normally be retained for at least 6 years in line with business record-keeping requirements.

Safeguarding records

Safeguarding records will be retained for longer and reviewed on a case-by-case basis, taking account of the seriousness of the concern, the age of the individual, legal obligations, and any ongoing safeguarding risk.

Photos, headshots and self-tapes

Photos, headshots and self-tapes will be reviewed regularly and deleted when no longer needed. Where materials are replaced by updated versions, the older materials will usually be deleted 12 months after the newer replacement materials come into active use, unless there is a reason to retain them for a longer period.

Bank details

Bank details collected for payment purposes will be retained only for as long as needed for active payment administration, accounting purposes, or related legal/business requirements, and then deleted when no longer necessary.

Email and WhatsApp communications

Email and WhatsApp communications will be retained only for as long as needed for the relevant client, application, tuition, representation, safeguarding or administrative purpose. Messages forming part of a safeguarding, contractual or financial record may need to be retained longer in line with the relevant category above.

Individuals may have rights under UK data protection law, including rights to access, correct, erase or restrict the use of their personal data, depending on the circumstances.

Any data protection requests, correction requests or queries should be sent to:

hello@kit-talent.com

Kit Talent will consider and respond to such requests in accordance with applicable law.

A personal data breach may include loss, unauthorised disclosure, accidental deletion, inappropriate access, or any security incident affecting personal data.

If a personal data breach is identified, Kit Talent will:

• assess the nature and scope of the breach; 
• take steps to contain and address it; 
• keep a record of the breach and action taken; 
• consider whether the breach must be reported to the ICO and/or affected individuals. 

ICO guidance states that organisations must keep a record of personal data breaches, regardless of whether they are reportable. 

This policy should be read alongside other Kit Talent policies and procedures, including:

• Privacy Policy; 
• Safeguarding and Child Protection Policy; 
• Equality, Diversity and Inclusion Policy; 
• Complaints Policy; 
• Online Safety / Communications Policy.

This policy will be reviewed regularly and updated where necessary to reflect changes in law, guidance, systems or business practice.