NHS England’s Code4Health program has been established to encourage small-scale process initiatives to be shared. Where these involve code development, current development practices almost inevitably include the use of open source code – bringing licensing obligations that many organizations are unaware of. Fortunately, Code4Health is taking steps so that NHS organizations avoid non-compliance with these obligations.
Open source licensing obligations are often unknown but cannot be ignored
NHS England is a highly disparate organization. Code development within it is not untypical of practices in many organizations with distributed autonomy; IT is now self-adopted, to an extent, allowing business units to consider addressing their own tactical opportunities. Code4Health could see a developer producing a facility for a local GP, for example, and the code subsequently being shared.
Many organizations are allowing development teams to take advantage of open source code, which is easily sourced online. This approach is often the default approach – developers now adopt this practice almost universally. The benefits include increased efficiency of development, the result of using code that is already tested. However, many organizations let it happen without knowing the licensing obligations that using such code often carries. Typically, these obligations do not involve costs, but they do involve specific responsibilities, and organizations must comply.
Once a significant volume of open source code is in use within the organizational code base, the task of finding out what these licensing obligations are becomes large and onerous. Implementing an approach of proactively assuring compliance as code is adopted involves governance over developer practices and other parts of the code “supply chain,” and the capability to run regular automated checks on the total code base.
Fortunately, NHS England is taking steps to ensure that the Code4Health program does not cause parts of the organization to be submerged in the deep waters of non-compliance, hopefully avoiding situations like the legal cases involving Versata in the US and VMware in Germany. Ovum strongly advises that other organizations take their obligations relating to open source usage seriously.
Alan Rodger, Senior Analyst, Enterprise ICT Management