That the HSCIC actively pursues a technical solution to allow access to data, without the need to release data out of the HSCIC to external organisations.
This. It should be right up at the top of the list of recommendations. Do this, and the other recommendations become less vital, or even irrelevant.
All "clearly identifiable", "anonymised" or "pseudonymised" data should be held strictly on HSCIC premises and equipment, and only processed at arm's length, with incoming queries and outgoing reports strictly vetted by the HSCIC.
All truly aggregate data can be openly published, in accordance with the government's welcome commitment to open data.
There's a prevailing tacit assumption held by many bureaucrats and politicians, which should be challenged, that the only way to handle data is to pass it around on USB sticks, or DVD discs, or something, and process it with Excel. It's this kind of ignorance that leads to unencrypted laptops full of sensitive data being left on trains.