In the past decade, there has been a surge in the number of sensitive human genomic and health datasets available to researchers via Data Access Agreements (DAAs) and managed by Data Access Committees (DACs). As this form of sharing increases, so do the challenges of achieving a reasonable level of data protection, particularly in the context of international data sharing. Here, we consider how excessive variation across DAAs can hinder these goals, and suggest a core set of clauses that could prove useful in future attempts to harmonize data governance.