Re: personally identifiable information
"PII" is not a defined term under the GDPR. Personal data as defined in the regulation need not be able to identify you on its own, but may do so if accumulated with other information (also not necessarily able to identify you on its own). And none of it need put a name to you to be subject to the requirements of the GDPR. Consequently a web access history tied to a single IP address may be personal data if it's unique (as it probably will be) even if no action is taken to attach a name to the IP address.
Consequently, just for example, facebook widgets on multiple independently hosted web pages might create a browsing profile at facebook that would constitute personal data under the regulation - indeed, depending on the context of the pages viewed, even sensitive personal data requiring data subject consent under Article 9. The nature of the site in question here could quite possibly cause such a profile to fall into this category.
It should be borne in mind by any site owner authorising or allowing allowing such automated tracking that they probably become a joint controller with the tracking organisation, and thereby jointly responsible with that organisation for any breach of the regulation, and it would be no defence to assert ignorance on the basis that web site creation was outsourced.
So if any one of these trackers were to breach your rights under the regulation, the Scottish NHS would be jointly liable, and remember that it's your human rights under the European Convention that are protected, not just your GDPR rights in respect of the data.