legally, how long should case data be kept for in certain jurisdictions? are there specific archiving requirements for complete and ongoing cases? Im trying to work out what these are and what legislation/guidance documents this?
In Europe there's the GDPR that says you've got to specify duration.
Personally, when the court give me something at the end of my job I give them all, and I keep for myself only the copy of the expertise.
For private It's the same I keep only the expertise untill the end of the story.
For me in general, after the case is adjudicated and the prosecutor or the attorney who hired me, advises I can delete the case data.
If an examiner is told by the client to keep all the data for an agreed period of time and the suspect is found not guilty would the examiner and / or the client be in breach of GDPR?
Similarly if a person has been given a custodial sentence should data ever be kept after the person has been released?
Punishments for breaching GDPR are huge. I suspect it will be the examiner who retains the data that would be prosecuted rather than the client who insists it be kept.
Depends if you are talking about criminal or civil offences.
GDPR does not apply to data for criminal cases, however there is a separate set of rules that does.
Couldn't tell you what they are as the UK never signed up to that part!
As minime2k9 says GDPR isn't relevant for Criminal work.
Chapter 1, Article 2, Paragraph 2 (d) states
This regulation does not apply to the processing of personal data … by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.
It seems also that there are some provisions for restrictions of scope of the GDPR in specific cases ( Section 5, Article 23 Paragraph 1 - (g) and (j) )
(g) the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions;
(j) the enforcement of civil law claims.
And again in Article 49 ( Paragraph 1 - (e) ), the rules around transfers are given restrictions where
(e) the transfer is necessary for the establishment, exercise or defence of legal claims;
So to my eye - it looks as if the GDPR recognises the purpose of Forensics at least as a special scenario that's not subject to the same rules as the remainder of "Personal Data Processing".