What bothers me is that if at some point this does turn out to be a GDPR violation, it'll be the NHS that ends up paying the costs... which in turn undermines the NHS, and costs tax-payers.
Summary: I'm not sure the people making these decisions give a crap; they win one way or another whatever the outcome. Perhaps the only way to solve that would be if it were possible to make specific individuals (i.e. head of NHS digital) personally liable?