Because you now can only collect, use and disclose personal information for stated purposes, according to the privacy act, to comply with PIPEDA your business will also have to get into the habit of determining why you're going to collect particular types of data and how you're going to use them before you collect or use them. You can only collect personal information for a stated purpose, remember, and you must be able to inform the person you're seeking to collect the information from about why the data is needed.
Each identified purpose will need to be recorded - in some accessible way in case an individual wants to access this information. Once again, you will also need to review all your business' personal information data to determine whether or not the data has been collected for a specific purpose. Information that is no longer required for an identified purpose should be erased, destroyed or rendered anonymous.
While one of the principles of PIPEDA is to "be open", your business has to be very careful in your handling of personal information. While you need to have a system in place to give individuals who so desire access to their information, you must be careful not to "disclose personal information unless you are sure of the identity of the requestor and that person's right of access". You need to protect personal information from loss or theft, and safeguard it from unauthorized disclosure, copying use or modification.
For small businesses, this may involve physical modifications to the way you currently store such information, as well as instituting security policies. You may need to install locks on filing cabinets where you store papers containing personal data, and/or install alarms or set up restricted zones. Data stored on computers needs to be secured by passwords, encryption and/or firewalls, as well as backed up regularly, with backups stored off-site to guard against loss by fire or theft. If you have employees, you need to ensure that they're aware of the importance of the confidentiality of personal data and whatever security measures you've implemented.
PIPEDA means that your small business is going to have to review your collection and handling of personal information and perhaps institute new policies and procedures to ensure compliance. Hopefully this article has served as a useful starting point. To learn more about PIPEDA and how to ensure that your business complies with the new privacy act, I recommend reading the Privacy Commissioner of Canada's Guide For Businesses and Organizations to Canada's Personal Information Protection and Electronic Documents Act.