They're charging a nominal additional fee for the additional paperwork involved in ensuring the necessary approvals have been met. You can see the types of organizations that get their "personally identifiable" data requests approved by a separate body here:
http://www.hra.nhs.uk/about-the-hra/our-committees/section-2...
A quick glance at some of the approvals suggests that yes, the information is very personally-identifying indeed but the cohorts are pretty small and not obviously commercially valuable, and the types of organisations getting the data sound no more likely to resell it than my GP (and even less likely to make a profit on it). And my GP and his admin staff and various other NHS employees have had access to it for some years now.
A quick glance at some of the approvals suggests that yes, the information is very personally-identifying indeed but the cohorts are pretty small and not obviously commercially valuable, and the types of organisations getting the data sound no more likely to resell it than my GP (and even less likely to make a profit on it). And my GP and his admin staff and various other NHS employees have had access to it for some years now.