...shared with research companies and clinical audits
So who are these research companies and clinical audits providers? I'd like to see a list of companies that TPP have shared the information with. GDPR makes a distinction between the data Controller and Processor in the relationship of data, typically we'd expect the NHS to be the data Controller and TPP as the data Processor... but I bet that TPP has registered as a Controller to decided the means and purpose of the data. Time to get the Subject Access Requests into them to find out who they've shared your data with - probably every insurance and pharmaceutical company out there paying silk road rates for your data!