FSFE: NHS England should not hide public code behind closed doors - FSFE
FSFE: NHS England should not hide public code behind closed doors
England’s National Health Service (NHS England) is preparing to make
most of its public source code repositories private by default,
according to recent reports. The move appears to be based on concerns
that public code repositories could be scanned by AI systems to identify
vulnerabilities. The reported internal guidance, referred to as
“SDLC-8”, would require public repositories to be made private unless an
explicit exception is approved.
The Free Software Foundation Europe (FSFE) considers this a serious move
in the wrong direction. Taking already public repositories offline does
not prevent attackers from analysing deployed systems, dependencies,
interfaces, or binaries. Depublishing does not make code unseen, nor
does it remove existing copies, and it is not an effective security
measure. Instead, it removes a fundamental pillar for security: the
ability of independent experts, researchers, and other public bodies to
inspect, reuse, and improve the code, and to report on security issues.
“Depublishing public code is not a security strategy. 'Security through
obscurity’ has been debunked as a security measure for a long time. Making
repositories private does not protect NHS systems. It only limits who
can help find and fix problems. The same is true for future code:
releasing publicly funded software as Free Software creates better
conditions for scrutiny, accountability, and security than locking it
away by default”, says Johannes Näder, FSFE Senior Policy Project Manager .
Releasing publicly funded software as Free Software is the core
demand of the FSFE’s “[Public Money?
Public Code!](https://publiccode.eu/en/)” initiative. It is also the principle behind existing
NHS and UK guidance: NHS England’s own Service Standard states that
[new
source code for public services should be open and reusable](https://shkspr.mobi/blog/2026/05/nhs-goes-to-war-against-open-source/) because
public services are built with public money. UK government guidance
similarly requires new source code to be open and reusable, while
allowing only narrowly defined exceptions.
“If NHS England decides to depublish its services' code, that would
directly contradict its own guidance and the wider UK principle of
making publicly funded code open by default. Security
concerns should be addressed through proper software engineering:
secret management, vulnerability handling, dependency maintenance,
reviews, and defence in depth. A blanket shift from open by default to
closed by default is disproportionate and counterproductive," says Näder.
Free Software enables independent audits, fosters local expertise, and
allows public bodies to share and improve solutions together. In the
health sector, where trust, resilience, and accountability are
essential, these benefits are particularly important. Furthermore,
“Public Money? Public Code!” fosters innovation and is one of the most
effective tools to reduce lock-in, reducing public administrations’
dependency on proprietary vendors, and enabling digital sovereignty.
The FSFE therefore calls on NHS England to reverse any blanket
private-by-default policy for publicly funded code, to publish the
reported guidance, and to reaffirm that Free Software remains the
default for publicly funded software.
Source: Terence Eden's Blog: NHS Goes To War Against Open Source
Update 06.05.2026: An open letter calls on NHS England to keep its code open: https://keepthingsopen.com
Tags
Share and support
*Some services may be Free Software unfriendly and harm your privacy. Learn more.*
Press
About the FSFE
Free Software Foundation Europe is a charity that empowers users to
control technology.
Software is deeply involved in all aspects of our lives. It is important
that this technology empowers rather than restricts us. Free Software
gives everybody the rights to use, study, share, and improve software.
These rights help support other fundamental rights like freedom of
speech, freedom of press, and privacy.
