In 2019, we resolved to annotate all instances of PII (personally identifiable information) in our data models, plus information on how & why that PII is stored and whether & how it is retired. The purpose of these annotations are both to hold developers accountable to properly handle PII and to enable Open edX operators to audit their own PII handling.
In the edx-platform repository, we (ostensibly) used CI to ensure that these annotations were being added to all Django models. We originally set the threshold that 94.5% of all models in edx-platform and its dependencies needed to be annotated.
At some point, however, this CI check was disabled. At some later point, the check was re-enabled, but it was not actually wired up correctly and has been raising a false-positive all this time. So, we have not been enforcing the 94.5% threashold for a while, and as you can guess, the % of annotated Django models has dropped over time.
As it stands today, 71.6% of edx-platform Django models are annotated. So, the Aximprovements team will fix the PII annotation CI check and adjust it to use 71.6% as the baseline threshold. They do not currently have the resources to fix the violations that have accumulated, though.
If any contributors are interested in working to add missing violations and raise the threshold back to thtat 90-100% range, feel free to use this thread to coordinate. Otherwise, just consider this a heads-up that many edx-platform models, particularly ones added between Juniper and Sumac, will be missing documentation of how & whether they use PII.