Slack employs a different approach to the events reporting by attributing them directly to the user who owns the data 

This means that regardless of the user account status - whether active or inactive- Slack Securlet will report the incident against the data owner, typically the user account who initially created or uploaded the file the first time.

An example of an event that can trigger this would be the case when a new user is added to a slack channel. This event triggers a full rescan of all the contents of the Slack channel. During this scan, should any content be found in violation of policy, it will be attributed to the data owner even in cases where the user account is deactivated.