I sounds like you didn't create his keys as that user. First of all, he shouldn't even know your passphrase so you probably want to use "ssh-keygen -N <newpassphrase>" to change it. You may have given him your own public & private keys as well, so you had might as well regenerate the from scratch.
Either generate a pair of keys for him, or better yet have him generate a pair and give you the public key. The add the public key to his $HOME/.ssh/authorized_keys file. That will enable him to log in. You should also disable root logins in /etc/ssh/sshd and use "allowusers <yourusername> <hisusername>" to lock down ssh. Using keys, I assume you disabled regular logins as well.
What is the default group of regular users. If it is "users" then create a group for each user of the same name (as the user) and make that the default, and use "sudo chgrp <default_group> /home/<user> -R" to change the default group in each person's HOME directory.
He will still be able to read system directories. Some like /bin/, /etc/, /usr/bin/, /usr/lib, etc. are needed. If you are going to run your system as a multi-user system, you should look into quotas. Take a look at /etc/security/limits.conf.
Take a look at this part of /etc/ssh/sshd_conf:
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
This will enable you to use key based authentication but still use pam for controlling limits.