It’s been report­ed that NHS Dig­i­tal / Eng­land will reverse course on pub­lish­ing the source code and close their pub­lic repos on Github.

Through­out my time work­ing for the UK Gov­ern­ment — in GDS, NHSX, i.AI, and oth­ers — I cham­pi­oned Open Source. I spoke to dozens of depart­ments about it, wrote guid­ance still in use today, and briefed Min­is­ters on why it was so important.
That’s why I’m beyond dis­ap­point­ed at recent moves from NHS Eng­land to back­track on all the pre­vi­ous com­mit­ments they’ve made about the val­ue of open source to the UK’s health service.

Ter­ence Eden, NHS Goes To War Against Open Source

This is a great shame. Work­ing in the pub­lic sec­tor, one of the prin­ci­ples is that we code in the open, as pub­lic mon­ey pays for pub­lic code. Whilst some­times this might not always be prac­ti­cal, to with­draw pre­vi­ous­ly open repos­i­to­ries does seem like a regres­sive step. The NHS own ser­vice stan­dard states that new code should be open source by default, to allow oth­ers to build upon it and to estab­lish trust in dig­i­tal ser­vices. This is par­tic­u­lar­ly impor­tant at a time when more ser­vices move to dig­i­tal first and there is sig­nif­i­cant debate on dig­i­tal sov­er­eign­ly and how we are becom­ing depen­dent on US tech firms. Dur­ing the coro­n­avirus pan­dem­ic NHSx devel­oped a con­tact trac­ing app, and hav­ing that devel­oped as open source was seen as impor­tant to encour­age adop­tion, although as Ter­race points out in anoth­er blog post and video, that brought it’s own com­pli­ca­tions.

The rea­son stat­ed for clos­ing the repos­i­to­ries is that with new AI cod­ing agents like Claude Mythos, hav­ing open source code is now more risky. I’m in agree­ment with oth­ers that this is prob­a­bly clos­ing the sta­ble door after the horse has bolt­ed. Also there is still some scep­ti­cism around the Mythos announce­ment. I do won­der whether the afore­men­tioned expe­ri­ence of open sourc­ing the con­tact trac­ing app might have some­thing to do with it. Secu­ri­ty wise, would­n’t we do bet­ter fol­low­ing exist­ing pro­to­cols around respon­si­ble dis­clo­sure and app sand­box­ing instead of revert­ing to secu­ri­ty through obscurity.

There is cur­rent­ly a peti­tion open to keep pub­lic NHS repos­i­to­ries open. I also hope there are efforts under­way to archive the pub­lic NHS repos, are the organ­i­sa­tion may see sense and change tact. I seem to remem­ber that dur­ing the devel­op­ment of the con­tact trac­ing app, the NHSx team con­tributed improve­ments to the under­ly­ing blue­tooth ser­vice used by Apple and Google that was at the core of the ser­vice. Both the Gov.uk and NHS dig­i­tal ser­vices have been huge­ly help­ful in push­ing the idea of shar­ing pub­lic code and encour­ag­ing oth­ers to open source their own repos­i­to­ries and pro­vid­ing work to build on. In a pub­lic sec­tor that is increas­ing­ly look­ing at cross organ­i­sa­tion col­lab­o­ra­tion going dark seems like a back­wards move.