23.
(1) A data controller or data processor shall develop, publish and regularly update a policy reflecting their personal data handling practices.
(2) A policy under sub-regulation (1) may include—
(a) the nature of personal data collected and held;
(b) how a data subject may access their personal data and exercise their rights in respect to that personal data; (c) complaints handling mechanisms;
(d) lawful purpose for processing personal data;
(e) obligations or requirements where personal data is to be transferred outside the country, to third parties, or other data controllers or data processors located outside Kenya and where possible, specify such recipients;
(f) the retention period and schedule contemplated under regulation 19; and
(g) the collection of personal data from children, and the criteria to be applied.