@michal.nykiel - Yes. If you are storing username and user key today then you are storing not safe to store identifiers and will need to indicate Yes.
If user references are the only thing you store and you plan to remove username and user key after you’ve migrated your data store to accountID then I’d recommend indicating yes to represent accurately that you are storing not safe to store identifiers, prioritizing the migration to accountID and deletion of username and user key from your data store OVER implementing the personal data reporting API and then once your data store only contains accountID updating the field to say “No”.