opt-in, opt-out is missing the point
PNGuinn is being facetious but there is one point made that really important - it's personal data (my data and your data). It should be the property of the people it comes from, then many problems with questions about data access in the NHS and many other places become vastly simplified. Imagine the personal data is the property (in law) of the people it relates to. If someone wants a copy then it's equivalent to asking to borrow someone's property - if someone doesn't provide that permission then it's a criminal offence (like TWOCing) if they take it anyway.
Sure, this leads to a great deal of work to manage permission, but that's the same in many other spheres of human activity. Having a simple and clear principle to work from, that everyone can easily understand (not like DPA or GDPR) prevents a huge amount of discussion and interpretation (leading to massive variation across systems and industries). Not to mention pissing 8 million quid up the wall.