Following your organization's data security practices is not immoral. To me, refusing to accept a PDF is no different than running a cash only store and refusing to accept credit cards as payment.