So if you're considering a SAR, be prepared for a bit of a fight to get the extended marketing data.
The
CCV and a bunch of other info was in the standard report but to get the extended marketing (which had the troubling sensitive data in) I had to push very hard and make a complaint to the ICO to get the extended report.
I knew they had certain other bits of data thanks to my experian SAR where I saw them sell certain household data to BA (that itself was purchased from Acxiom - a great one if you want to know how old marketeers think your boiler is or your % chance of buying the Daily Mail) and it wasn't until I sent them the proof of the data I knew they had on me (they tried to play the "we're a processor" multiple times despite Experian saying they were the processor and BA the controller) that I got the extended report (which also includes various social media nuggets and more details from their support team notes).
Sensitive customer was on the basic report for everyone though.
One thing I've learnt in submitting over 180 SARs so far is that you'll send one off and get a response that looks reasonable. It's only once you've submitted a lot of them (which conveniently enough had the line "Please provide all instances where any item of personal data or metadata/inferred data/modelled data about my data has been transferred or sold to any third party indicating the date of transfer, the grounds of the transfer and the controller or processor it was transferred to" in.
Thanks to that one line I was able to start drawing a map of who had sold/sent what where and thus found out that in over 50% of my SAR responses there was some missing data.
So it's an uphill battle then with every company involved trying to force them to provide either the data you know they have (which always reveals a load more data you didn't know they had - like modelled sexuality) or if they say they don't have it asking for proof of deletion.
I never used to really care too much about data privacy until I did my first SAR from a bank as part of a lending complaint. That's when I saw what else they held on me and the can of worms was opened.
Now I'm terrified. I know what data has been sent to the police/security services and god knows what other organisations so now rather than being concerned I've just accepted there is no way for me to put that genie back in the bottle!
I'm working with a colleague to see if we can build a DSARaaS type platform to help out people submit these in an automated way.
But yeah; if you wan't your CIV/CCV value a standard "I want all data you hold on me" to [email protected] attaching your passport, recent utility bill and frequent flyer number should do.