An open letter
asking NHS England
to keep its code open

Code paid for with public money should be open to the public. This principle is enshrined in the UK Government Design Principles and the NHS Service Standard. It is now being walked back. We are signing this to restate the case.

Add your signature →

Published 1 May 2026 Status Open for signatures Andrew NesbittSoftware Developer and Researcher (Ecosyste.ms) AnonymousSoftware Engineer (Sainsbury's) AnonymousStudent Ben GravesSoftware Engineer Cameron BrownSoftware Engineer (Google) Daniel RoeCore team lead (Nuxt) Dr Cory Doctorow (h.c.) Donald HarveySoftware Engineer Heidar Bernhardsson Kai James Patient Lenard Szolnoki Martin van IJcken Matthew Bristow Miranda HeathResearcher (University of Edinburgh) Misha GorodnitzkyTechnical Architect Marcus BawGP, Clinical Informatician and Developer (Baw Medical, RCPCH, openEHR International) Paul Robert LloydInteraction designer Peter YatesProgramme Tech Lead (Department for Education) Robin Whittleton Sam CookSoftware Engineer Toby Dimmick Theodor VararuSoftware Engineer Vlad-Stefan HarbuzMaintainer (Open Source Pledge)

Statement

We disagree with the NHS technical leadership’s decision to hide the source code of all of their repositories.

Making code open source requires more work than keeping it closed. That hard work is the point.

It requires a higher bar of quality. It requires processes to proactively find, fix, and monitor for vulnerabilities. It requires identifying risk, and putting barriers in place to contain any damage when things go wrong.

But it works like the human immune system: being exposed to threats hardens the attack surface.

Closed source allows that work to be skipped. It substitutes obscurity for depth, and obscurity buys you precious little when a sufficiently motivated attacker is involved.

! Warning We call on NHS England to withdraw the SDLC-8 red line and reaffirm its commitment to the NHS Service Standard Principle 12: “Make new source code open.”

If you agree, sign your name using the form below. Submissions are reviewed by hand and you’ll appear on the page once approved.

Add your signature

There is a problem

Full name

Error:

Email address We’ll only use this to contact you about your signature. It won’t be published.

Error:

Have you contributed to UK public-sector software? This can be technical or non-technical, public or private.

Error:

Error:

Role (optional)

Error:

Organisation (optional)

Error:

Anonymity Sign anonymously Your signature will appear as “Anonymous”, followed by your role and organisation if provided. Personal data is deleted within 24 hours of verification. Add your signature Sign by email

Thank you, your submission has been accepted. We will review it by hand and contact you if we need any further information.

References

• NHS Goes To War Against Open Source
• NHS England rushes to hide software over AI hacking fears
• NHS Service Standard — Principle 12: Make new source code open
• NHS England quietly removes open source policy web pages (Digital Health)
• Don’t be afraid to code in the open: how to do it securely (GOV.UK)
• Does Mythos mean shutting down your open source repos? (shkspr.mobi)
• Discourse is not going closed source (Discourse)