Only one of 10 government entities surveyed as part of a cyber security audit has a formal data retention and storage policy in place, the National Audit Office has said. An NAO audit found that only Malta Enterprise had a clearly defined policy for keeping and deleting personal data, as required by the Data Protection Act.