Re: "We do not sell data. We only seek to recoup costs"
...so they're providing valuable IP for a nominal fee. That IP can then be used for research which will result in new treatments. So far so good but at some point that's going to be used by non-UK drug and medical services suppliers who, of course, have no intention to profit from it...
The aggregated NHS patient database is an extremely valuable national asset the US drug companies among others would love to get their hands on so they can develop treatments to sell back to the UK and the rest of the world. I'd rather the value of that resource was used for the benefit of UK patients, UK research teams, the NHS and UK medical companies.
I wouldn't have a problem with fully anonymised data being sold outside UK but in that case it must be at a market price not just P&P and properly anonymised in such a way as to ensure that it can't be cross referenced with, say Facebook profiling data so I'd start getting adverts for adult diapers and find nobody wanted to sell me travel insurance.
The big problem is that the NHS and UK government both have a proven world-class history of utter incompetence in respect of IT and negotiate through rose-tinted spectacles. I just do not trust them to act with intelligence, competence or integrity.
Have Dido Harding or Russell Haworth applied to head up the GPDPR yet? Sounds like they have the requisite skill set, experience and track record...
Anyway it's all immaterial, the database will be hacked, leaked and made public for all and sundry to do whatever they wish with it and those guys wont have any scruples about personally identifiable information.