FSFE: NHS England should not hide public code behind closed doors - FSFE

News

FSFE: NHS England should not hide public code behind closed doors

England’s National Health Service (NHS England) is preparing to make

most of its public source code repositories private by default,

according to recent reports. The move appears to be based on concerns

that public code repositories could be scanned by AI systems to identify

vulnerabilities. The reported internal guidance, referred to as

“SDLC-8”, would require public repositories to be made private unless an

explicit exception is approved.

The Free Software Foundation Europe (FSFE) considers this a serious move

in the wrong direction. Taking already public repositories offline does

not prevent attackers from analysing deployed systems, dependencies,

interfaces, or binaries. Depublishing does not make code unseen, nor

does it remove existing copies, and it is not an effective security

measure. Instead, it removes a fundamental pillar for security: the

ability of independent experts, researchers, and other public bodies to

inspect, reuse, and improve the code, and to report on security issues.

“Depublishing public code is not a security strategy. 'Security through
obscurity’ has been debunked as a security measure for a long time. Making
repositories private does not protect NHS systems. It only limits who
can help find and fix problems. The same is true for future code:
releasing publicly funded software as Free Software creates better
conditions for scrutiny, accountability, and security than locking it
away by default”, says Johannes Näder, FSFE Senior Policy Project Manager .

Releasing publicly funded software as Free Software is the core

demand of the FSFE’s “[Public Money?

Public Code!](https://publiccode.eu/en/)” initiative. It is also the principle behind existing

NHS and UK guidance: NHS England’s own Service Standard states that

[new

source code for public services should be open and reusable](https://shkspr.mobi/blog/2026/05/nhs-goes-to-war-against-open-source/) because

public services are built with public money. UK government guidance

similarly requires new source code to be open and reusable, while

allowing only narrowly defined exceptions.

“If NHS England decides to depublish its services' code, that would
directly contradict its own guidance and the wider UK principle of
making publicly funded code open by default. Security
concerns should be addressed through proper software engineering:
secret management, vulnerability handling, dependency maintenance,
reviews, and defence in depth. A blanket shift from open by default to
closed by default is disproportionate and counterproductive," says Näder.

Free Software enables independent audits, fosters local expertise, and

allows public bodies to share and improve solutions together. In the

health sector, where trust, resilience, and accountability are

essential, these benefits are particularly important. Furthermore,

“Public Money? Public Code!” fosters innovation and is one of the most

effective tools to reduce lock-in, reducing public administrations’

dependency on proprietary vendors, and enabling digital sovereignty.

The FSFE therefore calls on NHS England to reverse any blanket

private-by-default policy for publicly funded code, to publish the

reported guidance, and to reaffirm that Free Software remains the

default for publicly funded software.

Source: Terence Eden's Blog: NHS Goes To War Against Open Source

Update 06.05.2026: An open letter calls on NHS England to keep its code open: https://keepthingsopen.com

Discuss this

Tags

Share and support

*Some services may be Free Software unfriendly and harm your privacy. Learn more.*

Press

About the FSFE

Free Software Foundation Europe is a charity that empowers users to

control technology.

Software is deeply involved in all aspects of our lives. It is important

that this technology empowers rather than restricts us. Free Software

gives everybody the rights to use, study, share, and improve software.

These rights help support other fundamental rights like freedom of

speech, freedom of press, and privacy.