Who should have the ability to initiate export of PII from OIMS?

Controlling who can export PII relies on strict access controls and formal authorization. Exporting sensitive personal data is a high-risk action that should only be performed by individuals in roles that have a legitimate business need and have received documented licensing or approval to do so. This ensures accountability, enables proper auditing, and enforces the principle of least privilege, reducing the chance of accidental or intentional data leakage. Allowing any user with access opens the door to misuse and violations of privacy policies. Limiting the action to the system administrator only is too restrictive—there are legitimate business roles that may need to export data when properly authorized. External partners with approval could be allowed, but only within the framework of authorized roles and the same licensing/approval process, not as a blanket permission.