I have been considering:
a) Sending a Data Deletion Request to both organisations
b) After the request has been actioned, or some time elapsed, submit a Subject Access Request
c) If they still hold any information they are not supposed to, report them to the ICO
Worth doing?